From ddd43bfcc9a7ba9ccdcb499e8760d614bb69d25a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 21 Nov 2018 12:37:40 -0800
Subject: [PATCH] allow recovery FUNCTIONFS_ENDPOINT_DESC

Commit ebc3a1a34ce914654fcc4edf9a2d26bf5fa76260 ("Move to ioctl
whitelisting for plain files / directories", Oct 10th), enabled ioctl
filtering on all files, including functionfs files. However, recovery
performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so
allow it.

Addresses the following denial:

  audit: type=1400 audit(673009.476:507811): avc:  denied  { ioctl } for  pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

Test: policy compiles.
Bug: 119877813
Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
---
 public/recovery.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5ef8..6cb391c40 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -76,6 +76,7 @@ recovery_only(`
   # Access /dev/usb-ffs/adb/ep0
   allow recovery functionfs:dir search;
   allow recovery functionfs:file rw_file_perms;
+  allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 
   # Access to /sys/fs/selinux/policyvers for compatibility check
   allow recovery selinuxfs:file r_file_perms;
-- 
GitLab