Allow more file ioctls

The shell script interpreter checks if file descriptors are ttys, which causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the following denials: type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh" path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306 ioctlcmd=5401 scontext=u:r:perfprofd:s0 tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps" path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp" dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top" path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp" dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Include the virtual sdcard when allowing F2FS specific sqlite ioctls, since apps write sqlite files to the virtual sdcard. Addresses the following denials: type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT" path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db" dev="sdcardfs" ino=3546650 ioctlcmd=f50c scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=0 app=com.xiaomi.hm.health Test: policy compiles. Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123

Allow more file ioctls
The shell script interpreter checks if file descriptors are ttys, which causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the following denials: type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh" path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306 ioctlcmd=5401 scontext=u:r:perfprofd:s0 tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps" path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp" dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top" path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp" dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Include the virtual sdcard when allowing F2FS specific sqlite ioctls, since apps write sqlite files to the virtual sdcard. Addresses the following denials: type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT" path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db" dev="sdcardfs" ino=3546650 ioctlcmd=f50c scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=0 app=com.xiaomi.hm.health Test: policy compiles. Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123
6586fe31 · Nick Kralevich · 186466e9 · 6586fe31
Commit 6586fe31 authored 6 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -325,11 +325,17 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 # named pipes, and named sockets)
 allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };

+# Allow a process to make a determination whether a file descriptor
+# for a plain file is a tty. Note that granting this whitelist to domain
+# does not grant the ioctl permission to these files. That must be granted
+# separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
 # TODO: consider only compiling these rules if we know the
 # /data partition is F2FS
-allowxperm domain file_type:file ioctl {
+allowxperm domain { file_type sdcard_type }:file ioctl {
  F2FS_IOC_ABORT_VOLATILE_WRITE
  F2FS_IOC_COMMIT_ATOMIC_WRITE
  F2FS_IOC_GET_FEATURES