From 8044129f425ed011061af3d062f3ce6979482388 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 29 Oct 2016 08:20:56 -0700
Subject: [PATCH] system_server: allow appendable file descriptors

system_server is currently allowed write (but not open) access to
various app file descriptor types, to allow it to perform write
operations on file descriptors passed to it from Android processes.
However, system_server was not allowed to handle file descriptors
open only for append operations.

Write operations are a superset of that allowed by appendable
operations, so it makes no sense to deny system_server the use of
appendable file descriptors. Allow it for app data types, as well as a
few other types (for robustness).

Addresses the following denial generated when adb bugreport is run:

  type=1400 audit(0.0:12): avc: denied { append } for
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt"
  dev="dm-2" ino=384984 scontext=u:r:system_server:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 32246161
Test: policy compiles
Test: No more append denials when running adb shell am bug-report --progress
Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487
---
 public/system_server.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/public/system_server.te b/public/system_server.te
index c562b6529..f700a77be 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -200,7 +200,7 @@ allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file write;
+allow system_server sysfs_vibrator:file { write append };
 
 # TODO: added to match above sysfs rule. Remove me?
 allow system_server sysfs_usb:file w_file_perms;
@@ -308,10 +308,10 @@ allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 
 # Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
+allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-- 
GitLab