From c4021cebcf19a4c3f95395f7715a3cc9ed2b44c0 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 3 Jan 2014 14:38:41 -0500
Subject: [PATCH] Address adb backup/restore denials.

Resolves the following denials seen during an adb backup and restore
sequence.

<5>[   90.247039] type=1400 audit(1388759567.693:16): avc:  denied  { getopt } for  pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket
<5>[   90.249176] type=1400 audit(1388759567.703:17): avc:  denied  { getopt } for  pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket

Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 826a67fc4..ff641bd3a 100644
--- a/domain.te
+++ b/domain.te
@@ -23,9 +23,10 @@ allow domain init:fd use;
 allow domain system_server:fd use;
 
 # Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
 allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr read write shutdown };
+allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
 
 ###
 ### Talk to debuggerd.
-- 
GitLab