From 17cfd3fce72613613a92929ba564ad14d2a50241 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 14 Jun 2016 13:41:47 -0700
Subject: [PATCH] Keep pre-existing sysfs write permissions.

Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
---
 dumpstate.te     | 3 +++
 gpsd.te          | 3 +++
 healthd.te       | 3 +++
 netd.te          | 3 +++
 nfc.te           | 3 +++
 system_server.te | 3 +++
 ueventd.te       | 1 +
 vold.te          | 3 +++
 8 files changed, 22 insertions(+)

diff --git a/dumpstate.te b/dumpstate.te
index 64ca3010c..b1ae22b36 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -82,6 +82,9 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
 # TODO: create a new file class, instead of allowing write access to all of /sys
 allow dumpstate sysfs:file w_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow dumpstate sysfs_usb:file w_file_perms;
+
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
diff --git a/gpsd.te b/gpsd.te
index 4b2222314..cd202958f 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -13,6 +13,9 @@ allow gpsd gps_socket:sock_file create_file_perms;
 # XXX Label sysfs files with a specific type?
 allow gpsd sysfs:file rw_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow gpsd sysfs_usb:file w_file_perms;
+
 allow gpsd gps_device:chr_file rw_file_perms;
 
 # Execute the shell or system commands.
diff --git a/healthd.te b/healthd.te
index f54d716a9..2658ef84c 100644
--- a/healthd.te
+++ b/healthd.te
@@ -19,6 +19,9 @@ binder_call(healthd, system_server)
 # TODO:  Split into a separate type?
 allow healthd sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
 allow healthd sysfs_batteryinfo:file r_file_perms;
 
 ###
diff --git a/netd.te b/netd.te
index 0d9c047a4..9b44e4bdf 100644
--- a/netd.te
+++ b/netd.te
@@ -32,6 +32,9 @@ allow netd proc_net:file write;
 # XXX Split into its own type.
 allow netd sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
 # Needed to update /data/misc/wifi/hostapd.conf
 # TODO: See what we can do to reduce the need for
 # these capabilities
diff --git a/nfc.te b/nfc.te
index 2ca43dddf..5b7f4b9f0 100644
--- a/nfc.te
+++ b/nfc.te
@@ -17,6 +17,9 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow nfc sysfs_usb:file write;
+
 # SoundPool loading and playback
 allow nfc mediaserver_service:service_manager find;
 allow nfc audioserver_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index e1b2f5842..e74f58ceb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -190,6 +190,9 @@ allow system_server sysfs_mac_address:file r_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
 # Access devices.
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
diff --git a/ueventd.te b/ueventd.te
index 3881445ee..9a24357be 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -14,6 +14,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_usb:file w_file_perms;
 allow ueventd sysfs_hwrandom:file w_file_perms;
 allow ueventd sysfs_zram_uevent:file w_file_perms;
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
diff --git a/vold.te b/vold.te
index 6d5d9942e..8cea0c3c7 100644
--- a/vold.te
+++ b/vold.te
@@ -90,6 +90,9 @@ allow vold self:capability { sys_ptrace kill };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow vold sysfs_usb:file w_file_perms;
+
 allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck in the fsck domain.
-- 
GitLab