From 8e0086a88691d5431e6657bbb85e5ca94df3c061 Mon Sep 17 00:00:00 2001
From: Niklas Brunlid <niklas.brunlid@sony.com>
Date: Fri, 1 Dec 2017 11:18:31 +0100
Subject: [PATCH] Allow system_server to create files on configfs

A change in the "open" syscall between kernel 4.4 and 4.9 means that
the "create" action is now checked and makes system_server trigger
an SELinux denial when PackageSettings is removing a user ID from
Settings.java/writeKernelRemoveUserLPr() in PackageManager.

Bug: 70150770
Test: Manual
- Add a new user on the device, no need to perform setup.
- Wait 30s
- Remove the added user
- While running, check the result of:
    adb logcat -v time -b events | grep audit | grep system_server
Change-Id: I1f490ea95d5bcb2adc76cba041bffbea131b447a
---
 private/system_server.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/system_server.te b/private/system_server.te
index e9942ed29..752dee7e0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -678,7 +678,7 @@ allow system_server app_fuse_file:file { read write open getattr append };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
+allow system_server configfs:file { getattr open create unlink write };
 
 # Connect to adbd and use a socket transferred from it.
 # Used for e.g. jdwp.
-- 
GitLab