From 63b98b17e41b74a7595dc80e1958550cf6b887d1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 25 Feb 2014 19:42:38 -0800
Subject: [PATCH] restore system_server zygote socket rules

1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt
support for system_server, which is needed to close the zygote socket.
See b/12061011 for details.

system_server still needs this rule, and it's expected to stay
permanently. Restore the rule and remove the comment about it eventually
being deleted.

Addresses the following denials:

<5>[   86.307639] type=1400 audit(1393376281.530:5): avc:  denied  { getattr } for  pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
<5>[   86.307945] type=1400 audit(1393376281.530:6): avc:  denied  { getopt } for  pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12114500
Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d
---
 system_server.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_server.te b/system_server.te
index f48fd2cb0..d7fd53039 100644
--- a/system_server.te
+++ b/system_server.te
@@ -21,6 +21,9 @@ allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 bluetooth_domain(system_server)
-- 
GitLab