Add functionfs access to system_server.

UsbDeviceManager in system_server now helps set up the endpoint files. Bug: 72877174 Test: No selinux denials Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

Add functionfs access to system_server.
1d401545 · Jerry Zhang · 17d008ae · 1d401545 · 1d401545
Commit 1d401545 authored 7 years ago by Jerry Zhang
--- a/private/domain.te
+++ b/private/domain.te
@@ -105,7 +105,8 @@ full_treble_only(`
    -adbd
    -init
    -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;
  # usbfs and binfmt_miscfs
  neverallow {

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -761,6 +761,10 @@ userdebug_or_eng(`
  allow system_server mediaextractor_update_service:service_manager find;
 ')
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
 ###
 ### Neverallow rules
 ###