commit c57ba7230426a741b0dd9d8c3cbde62be5742cd5
author Alex Klyubin <klyubin@google.com> Wed Aug 23 14:52:18 2017 -0700
committer Alex Klyubin <klyubin@google.com> Thu Aug 24 11:36:58 2017 -0700
tree fe289275cefea146fec2ba62de65a22310158d46
parent 8cbcaa243da79b4ea2d321d7526dffa21e1f9be8

Address SELinux denials for usbforward

denied { read write } for comm="usbforward" name="vport0p2" dev="tmpfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read } for comm="usbforward" name="/" dev="tmpfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:device:s0 tclass=dir
denied { read } for comm="usbforward" name="usb" dev="tmpfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:usb_device:s0 tclass=dir
denied { create } for comm="usbforward" scontext=u:r:usbforward:s0 tcontext=u:r:usbforward:s0 tclass=netlink_kobject_uevent_socket
denied { read } for comm="usbforward" name="devices" dev="sysfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
denied { open } for comm="usbforward" path="/sys/bus/usb/devices" dev="sysfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:sysfs:s0
denied { read } for comm="usbforward" name="busnum" dev="sysfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:sysfs:s0 tclass=file
denied { open } for comm="usbforward" path="/sys/devices/platform/dummy_hcd.0/usb1/1-1/busnum" dev="sysfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:sysfs:s0 tclass=file
denied { getattr } for comm="usbforward" path="/sys/devices/platform/dummy_hcd.0/usb1/1-1/busnum" dev="sysfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:sysfs:s0 tclass=file
denied { read write } for comm="usbforward" name="002" dev="tmpfs" scontext=u:r:usbforward:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file

Test: Device boots, no SELinux denials for usbforward
Bug: 28053261
Change-Id: I794b628d380df459cc527156870fbeff57264418

shared/sepolicy/file.te

diff --git a/shared/sepolicy/file.te b/shared/sepolicy/file.te
index 949b422..40615c3 100644
--- a/shared/sepolicy/file.te
+++ b/shared/sepolicy/file.te
@@ -1,4 +1,6 @@
 # File types
 type fb_ctl_file, file_type;
 type initial_metadata_file, file_type;
+# USB related portion of sysfs requiring privileged access, as opposed to sysfs_usb which is
+type sysfs_usb_priv, sysfs_type, file_type;
 type userspace_fb_file, file_type;

shared/sepolicy/file_contexts

diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index 6f46890..6db6407 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -10,6 +10,12 @@
 /initial\.metadata                 u:object_r:initial_metadata_file:s0
 
 #############################
+# sysfs files
+#
+/sys/bus/usb(/.*)?                             u:object_r:sysfs_usb_priv:s0
+/sys/devices/platform/dummy_hcd\.[0-9](/.*)?   u:object_r:sysfs_usb_priv:s0
+
+#############################
 # Vendor files
 #
 /system/vendor/bin/gce_fs_monitor  u:object_r:gce_fs_monitor_exec:s0

shared/sepolicy/usbforward.te

diff --git a/shared/sepolicy/usbforward.te b/shared/sepolicy/usbforward.te
index 16954bb..e286a10 100644
--- a/shared/sepolicy/usbforward.te
+++ b/shared/sepolicy/usbforward.te
@@ -2,3 +2,15 @@
 type usbforward_exec, exec_type, file_type;
 
 init_daemon_domain(usbforward)
+
+# Virtual serial device I/O
+allow usbforward virtual_serial_device:chr_file rw_file_perms;
+
+# USB I/O
+allow usbforward usb_device:dir r_dir_perms;
+allow usbforward usb_device:chr_file rw_file_perms;
+
+# /sys/bus/usb/devices, /sys/devices/platform/dummy_hcd.0/usb1/1-1/busnum
+r_dir_file(usbforward, sysfs_usb_priv)
+
+allow usbforward self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;