From 77cc05502f34090c4daaf06c92692bd3b85a861c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 15 Apr 2014 14:53:05 -0700
Subject: [PATCH] Label /dev/usb-ffs/adb functionfs

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
---
 adbd.te        | 4 +++-
 file.te        | 1 +
 genfs_contexts | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/adbd.te b/adbd.te
index 76cc4b1d5..44607c712 100644
--- a/adbd.te
+++ b/adbd.te
@@ -22,8 +22,10 @@ allow adbd self:capability setpcap;
 # Create and use network sockets.
 net_domain(adbd)
 
-# Access /dev/android_adb.
+# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
 allow adbd adb_device:chr_file rw_file_perms;
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
 
 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;
diff --git a/file.te b/file.te
index 0ddf50f1f..af2f9583e 100644
--- a/file.te
+++ b/file.te
@@ -32,6 +32,7 @@ type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
 type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, mlstrustedobject;
 type pstorefs, fs_type;
+type functionfs, fs_type;
 
 # File types
 type unlabeled, file_type;
diff --git a/genfs_contexts b/genfs_contexts
index 07208f943..ec636b6e9 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -29,3 +29,4 @@ genfscon vfat / u:object_r:sdcard_external:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:sdcard_internal:s0
 genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
-- 
GitLab