From cb182aba64ed9e0051e542af4abd289f52ee6b70 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 5 Jun 2014 13:27:44 -0700
Subject: [PATCH] Allow adbd / shell /data/anr access

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720

(cherry picked from commit 4fd4a2054db06329acc524c7eb07715ec625dc5d)

Change-Id: Ide6f62183a1c6e2af4cbe84bb0ebb928cd8e63b7
---
 adbd.te  | 4 ++++
 shell.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/adbd.te b/adbd.te
index 2e47fb62d..de6b1f99d 100644
--- a/adbd.te
+++ b/adbd.te
@@ -38,6 +38,10 @@ allow adbd shell_data_file:file create_file_perms;
 allow adbd sdcard_type:dir create_dir_perms;
 allow adbd sdcard_type:file create_file_perms;
 
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
 # Set service.adb.*, sys.powerctl properties.
 unix_socket_connect(adbd, property, init)
 allow adbd shell_prop:property_service set;
diff --git a/shell.te b/shell.te
index 94ad762db..50cc4f523 100644
--- a/shell.te
+++ b/shell.te
@@ -13,4 +13,8 @@ app_domain(shell)
 read_logd(shell)
 control_logd(shell)
 
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
 # inherits from shelldomain.te
-- 
GitLab