From 0b8c20e7ddce7cf791447f15be540ee2d0a6bfb2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 9 Oct 2013 12:27:27 -0700
Subject: [PATCH] Allow apps to use the USB Accessory functionality

Apps may need to access the USB Accessory interface, which
involves reads / writes / etc to /dev/usb_accessory
and /dev/bus/usb/*

See http://developer.android.com/guide/topics/connectivity/usb/accessory.html
for more information.

This addresses the following denials:

[   80.075727] type=1400 audit(1379351306.384:9): avc:  denied  { read write } for  pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[   86.204387] type=1400 audit(1379304688.579:10): avc:  denied  { getattr } for  pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[ 2773.581032] type=1400 audit(1379307375.959:22): avc:  denied  { read write } for  pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.590843] type=1400 audit(1379307375.969:23): avc:  denied  { getattr } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.591111] type=1400 audit(1379307375.969:24): avc:  denied  { ioctl } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file

Bug: 10780497
Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb
---
 app.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app.te b/app.te
index 6da0895a9..242e5ab67 100644
--- a/app.te
+++ b/app.te
@@ -115,6 +115,14 @@ allow appdomain self:netlink_route_socket {
 # /system/bin/ping, for example.
 allow appdomain self:rawip_socket create_socket_perms;
 
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow appdomain usb_device:chr_file { read write getattr ioctl };
+allow appdomain usbaccessory_device:chr_file { read write getattr };
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab