allow recovery FUNCTIONFS_ENDPOINT_DESC

Commit ebc3a1a3 ("Move to ioctl whitelisting for plain files / directories", Oct 10th), enabled ioctl filtering on all files, including functionfs files. However, recovery performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so allow it. Addresses the following denial: audit: type=1400 audit(673009.476:507811): avc: denied { ioctl } for pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 Test: policy compiles. Bug: 119877813 Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962

allow recovery FUNCTIONFS_ENDPOINT_DESC
Commit ebc3a1a3 ("Move to ioctl whitelisting for plain files / directories", Oct 10th), enabled ioctl filtering on all files, including functionfs files. However, recovery performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so allow it. Addresses the following denial: audit: type=1400 audit(673009.476:507811): avc: denied { ioctl } for pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 Test: policy compiles. Bug: 119877813 Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
ddd43bfc · Nick Kralevich · ac317b91 · ddd43bfc
Commit ddd43bfc authored 6 years ago by Nick Kralevich
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -76,6 +76,7 @@ recovery_only(`
  # Access /dev/usb-ffs/adb/ep0
  allow recovery functionfs:dir search;
  allow recovery functionfs:file rw_file_perms;
+  allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;

  # Access to /sys/fs/selinux/policyvers for compatibility check
  allow recovery selinuxfs:file r_file_perms;