From 1d4015457555bc645d2efa3f21deb3fb36302441 Mon Sep 17 00:00:00 2001
From: Jerry Zhang <zhangjerry@google.com>
Date: Wed, 6 Dec 2017 16:13:59 -0800
Subject: [PATCH] Add functionfs access to system_server.

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
---
 private/domain.te        | 3 ++-
 private/system_server.te | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/private/domain.te b/private/domain.te
index 6ca859a97..614e4c71f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -105,7 +105,8 @@ full_treble_only(`
     -adbd
     -init
     -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;
 
   # usbfs and binfmt_miscfs
   neverallow {
diff --git a/private/system_server.te b/private/system_server.te
index de2e3fea3..a512e5d26 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -761,6 +761,10 @@ userdebug_or_eng(`
   allow system_server mediaextractor_update_service:service_manager find;
 ')
 
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab