From 6790008920ac83b9108be3f6a486d27a3f32e636 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 18 Oct 2018 09:10:54 -0700
Subject: [PATCH] Allow TCGETS on pipes (fifo_file)

Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.

Addresses the following denials:

type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio

Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364
---
 public/domain.te | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index c34ef4f2e..355ec078f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -313,10 +313,11 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
 
 # Allow a process to make a determination whether a file descriptor
-# for a plain file is a tty. Note that granting this whitelist to domain
-# does not grant the ioctl permission to these files. That must be granted
-# separately.
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this whitelist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
 allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
 
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
-- 
GitLab