Label /dev/usb-ffs/adb functionfs
Newer adbd versions use functionfs instead of a custom adb usb gadget. Make sure the functionfs filesystem is properly labeled, and that adbd has access to the functionfs files. Once labeled, this addresses the following denials: <12>[ 16.127191] type=1400 audit(949060866.189:4): avc: denied { read write } for pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file <12>[ 16.127406] type=1400 audit(949060866.189:5): avc: denied { open } for pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file <12>[ 377.366011] type=1400 audit(949061227.419:16): avc: denied { ioctl } for pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
This commit is contained in:
parent
53667e259f
commit
77cc05502f
4
adbd.te
4
adbd.te
@ -22,8 +22,10 @@ allow adbd self:capability setpcap;
|
||||
# Create and use network sockets.
|
||||
net_domain(adbd)
|
||||
|
||||
# Access /dev/android_adb.
|
||||
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
|
||||
allow adbd adb_device:chr_file rw_file_perms;
|
||||
allow adbd functionfs:dir search;
|
||||
allow adbd functionfs:file rw_file_perms;
|
||||
|
||||
# Use a pseudo tty.
|
||||
allow adbd devpts:chr_file rw_file_perms;
|
||||
|
1
file.te
1
file.te
@ -32,6 +32,7 @@ type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
|
||||
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
|
||||
type debugfs, fs_type, mlstrustedobject;
|
||||
type pstorefs, fs_type;
|
||||
type functionfs, fs_type;
|
||||
|
||||
# File types
|
||||
type unlabeled, file_type;
|
||||
|
@ -29,3 +29,4 @@ genfscon vfat / u:object_r:sdcard_external:s0
|
||||
genfscon debugfs / u:object_r:debugfs:s0
|
||||
genfscon fuse / u:object_r:sdcard_internal:s0
|
||||
genfscon pstore / u:object_r:pstorefs:s0
|
||||
genfscon functionfs / u:object_r:functionfs:s0
|
||||
|
Loading…
Reference in New Issue
Block a user