From 04e730b635d961f1610886e96622214b9a5e40d4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 18 Jun 2014 16:22:43 -0700
Subject: [PATCH] system_server: allow open /dev/snd and read files

system_server needs to open /dev/snd and access files
within that directory. Allow it.

system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.

Addresses the following denial:

  system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir

and likely others

Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
---
 system_server.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/system_server.te b/system_server.te
index d7643a0a4..a3a3cd193 100644
--- a/system_server.te
+++ b/system_server.te
@@ -163,6 +163,8 @@ allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+allow system_server audio_device:chr_file r_file_perms;
 
 # tun device used for 3rd party vpn apps
 allow system_server tun_device:chr_file rw_file_perms;
-- 
GitLab