allow recovery FUNCTIONFS_ENDPOINT_DESC Commit ebc3a1a34ce914654fcc4edf9a2d26bf5fa76260 ("Move to ioctl whitelisting for plain files / directories", Oct 10th), enabled ioctl filtering on all files, including functionfs files. However, recovery performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so allow it. Addresses the following denial: audit: type=1400 audit(673009.476:507811): avc: denied { ioctl } for pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 Test: policy compiles. Bug: 119877813 Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962

commit: ddd43bfcc9a7ba9ccdcb499e8760d614bb69d25a [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Nov 21 12:37:40 2018 -0800
committer: Nick Kralevich <nnk@google.com> Wed Nov 21 12:42:42 2018 -0800
tree: 0be5649f4044f1733bc9a7df626596be35d1f53a
parent: ac317b915eeb96265e4681bebab3b711ab0eb7bf [diff]
diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5e..6cb391c 100644
--- a/public/recovery.te
+++ b/public/recovery.te

@@ -76,6 +76,7 @@
   # Access /dev/usb-ffs/adb/ep0
   allow recovery functionfs:dir search;
   allow recovery functionfs:file rw_file_perms;
+  allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 
   # Access to /sys/fs/selinux/policyvers for compatibility check
   allow recovery selinuxfs:file r_file_perms;
commit	ddd43bfcc9a7ba9ccdcb499e8760d614bb69d25a	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Nov 21 12:37:40 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Nov 21 12:42:42 2018 -0800
tree	0be5649f4044f1733bc9a7df626596be35d1f53a
parent	ac317b915eeb96265e4681bebab3b711ab0eb7bf [diff]