From 200a9f0e20337b48824cf621a017e2852245e5ca Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 22 Sep 2014 15:41:38 -0700
Subject: [PATCH] relax appdomain efs_file neverallow rules

During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:

  adb shell cat /factory/ssn
  adb shell cat /factory/bt/bd_addr.conf
  adb shell cat /factory/wifi/mac.txt
  adb shell cat /factory/60isn

read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.

No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.

Bug: 17600278
Change-Id: I13f33f996c077918dce70a5cff31a87eac436678
---
 app.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index 1fb53e68e..2a6b270b6 100644
--- a/app.te
+++ b/app.te
@@ -316,8 +316,8 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }
-- 
GitLab