From 2c38b3b8099a26d4da1dead2d1f87f616f4df6fd Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 21 Oct 2014 22:39:42 -0700
Subject: [PATCH] DO NOT MERGE: allow access to labeled executables in /system

Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
---
 adbd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/adbd.te b/adbd.te
index b0f589521..5fcaf6938 100644
--- a/adbd.te
+++ b/adbd.te
@@ -65,6 +65,10 @@ allow adbd app_data_file:dir search;
 allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;
 
+# b/18078338 - allow read access to executable types on /system
+# to assist with debugging OTA issues.
+allow adbd exec_type:file r_file_perms;
+
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
-- 
GitLab