From f4d39ca123e58f12947fedf231e051a06ba51752 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 15 Aug 2015 11:21:04 -0700
Subject: [PATCH] allow domain adbd:unix_stream_socket ioctl;

https://android-review.googlesource.com/166419 changed the handling
of non-interactive adb shells to use a socket instead of a PTY.
When the stdin/stdout/stderr socket is received by /system/bin/sh,
the code runs isatty() (ioctl TCGETS) to determine how to handle the
file descriptor. This is denied by SELinux.

Allow it for all domains.

Addresses the following denial:

  avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

TODO: When kernels are publicly available which support SELinux ioctl
filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls.

Bug: 21215503
Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898
---
 domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 3f29fb665..07bc0ae65 100644
--- a/domain.te
+++ b/domain.te
@@ -44,7 +44,7 @@ allow domain system_server:fd use;
 # This is used for e.g. adb backup/restore.
 allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
+allow domain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
 userdebug_or_eng(`
   # Same as adbd rules above, except allow su to do the same thing
-- 
GitLab