Add functionfs access to system_server. UsbDeviceManager in system_server now helps set up the endpoint files. Bug: 72877174 Test: No selinux denials Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

commit: 1d4015457555bc645d2efa3f21deb3fb36302441 [log] [tgz]
author: Jerry Zhang <zhangjerry@google.com> Wed Dec 06 16:13:59 2017 -0800
committer: Jerry Zhang <zhangjerry@google.com> Thu Mar 01 12:07:15 2018 -0800
tree: 17072b74d18c3c513ad88c15a2def01ed60e6045
parent: 17d008ae73ce6971818d29ac76ff937741012be9 [diff]
diff --git a/private/domain.te b/private/domain.te
index 6ca859a..614e4c7 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -105,7 +105,8 @@
     -adbd
     -init
     -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;
 
   # usbfs and binfmt_miscfs
   neverallow {

diff --git a/private/system_server.te b/private/system_server.te
index de2e3fe..a512e5d 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -761,6 +761,10 @@
   allow system_server mediaextractor_update_service:service_manager find;
 ')
 
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###
commit	1d4015457555bc645d2efa3f21deb3fb36302441	[log] [tgz]
author	Jerry Zhang <zhangjerry@google.com>	Wed Dec 06 16:13:59 2017 -0800
committer	Jerry Zhang <zhangjerry@google.com>	Thu Mar 01 12:07:15 2018 -0800
tree	17072b74d18c3c513ad88c15a2def01ed60e6045
parent	17d008ae73ce6971818d29ac76ff937741012be9 [diff]