system_server: allow appendable file descriptors

system_server is currently allowed write (but not open) access to various app file descriptor types, to allow it to perform write operations on file descriptors passed to it from Android processes. However, system_server was not allowed to handle file descriptors open only for append operations. Write operations are a superset of that allowed by appendable operations, so it makes no sense to deny system_server the use of appendable file descriptors. Allow it for app data types, as well as a few other types (for robustness). Addresses the following denial generated when adb bugreport is run: type=1400 audit(0.0:12): avc: denied { append } for path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt" dev="dm-2" ino=384984 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Bug: 32246161 Test: policy compiles Test: No more append denials when running adb shell am bug-report --progress Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487

system_server: allow appendable file descriptors
system_server is currently allowed write (but not open) access to various app file descriptor types, to allow it to perform write operations on file descriptors passed to it from Android processes. However, system_server was not allowed to handle file descriptors open only for append operations. Write operations are a superset of that allowed by appendable operations, so it makes no sense to deny system_server the use of appendable file descriptors. Allow it for app data types, as well as a few other types (for robustness). Addresses the following denial generated when adb bugreport is run: type=1400 audit(0.0:12): avc: denied { append } for path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt" dev="dm-2" ino=384984 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Bug: 32246161 Test: policy compiles Test: No more append denials when running adb shell am bug-report --progress Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487
8044129f · Nick Kralevich · ece32729 · 8044129f
Commit 8044129f authored 8 years ago by Nick Kralevich
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -200,7 +200,7 @@ allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 # TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file write;
+allow system_server sysfs_vibrator:file { write append };
 # TODO: added to match above sysfs rule. Remove me?
 allow system_server sysfs_usb:file w_file_perms;
@@ -308,10 +308,10 @@ allow system_server system_app_data_file:file create_file_perms;
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 # Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
+allow system_server media_rw_data_file:file { getattr read write append };
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };