commit 63b98b17e41b74a7595dc80e1958550cf6b887d1
author Nick Kralevich <nnk@google.com> Tue Feb 25 19:42:38 2014 -0800
committer Nick Kralevich <nnk@google.com> Fri Feb 28 21:35:53 2014 +0000
tree f29261dcaab2e4a189da15165a7cbad791fa30fe
parent f197f8ce4a117e4134204a82d178d8d9ee753d3b

restore system_server zygote socket rules

1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt
support for system_server, which is needed to close the zygote socket.
See b/12061011 for details.

system_server still needs this rule, and it's expected to stay
permanently. Restore the rule and remove the comment about it eventually
being deleted.

Addresses the following denials:

<5>[   86.307639] type=1400 audit(1393376281.530:5): avc:  denied  { getattr } for  pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
<5>[   86.307945] type=1400 audit(1393376281.530:6): avc:  denied  { getopt } for  pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12114500
Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d

system_server.te

diff --git a/system_server.te b/system_server.te
index f48fd2c..d7fd530 100644
--- a/system_server.te
+++ b/system_server.te
@@ -21,6 +21,9 @@
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 bluetooth_domain(system_server)