From 72c16e32f5dfbf889819973cc2d842a094636d23 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Wed, 23 Mar 2016 17:26:42 -0700
Subject: [PATCH] shell: enable hostside test: testAllCharacterDevicesAreSecure

Enable shell to have access to /dev for running the
world accessable mode test on /dev.

This approach adds shell to the list of excluded domains
on neverallows around chr_files, but locks down the access
for shell to only getattr.

It was done this lightly more complicated way to prevent
loosening the allow rules so that any domain would have
getattr permissions.

Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
---
 domain.te | 21 +++++++++++++++++----
 shell.te  | 18 ++++++++++++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/domain.te b/domain.te
index 11dd58c56..2515be8ba 100644
--- a/domain.te
+++ b/domain.te
@@ -198,15 +198,27 @@ neverallow * kernel:security setbool;
 # that could be set from init.rc.
 neverallow { domain -init } kernel:security setsecparam;
 
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+  domain
+  -init
+  -shell # For CTS and is restricted to getattr in shell.te
+  -system_server
+  -ueventd
+} hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow {
+  domain
+  -init
+  -kernel
+  -shell # For CTS and is restricted to getattr in shell.te
+  -ueventd
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
@@ -558,6 +570,7 @@ neverallow {
   -priv_app
   -recovery
   -sdcardd
+  -shell # Restricted by shell.te to only getattr
   -system_server
   -ueventd
   -vold
diff --git a/shell.te b/shell.te
index e045a9343..e1bd1ed44 100644
--- a/shell.te
+++ b/shell.te
@@ -123,6 +123,16 @@ allow shell sysfs:dir r_dir_perms;
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -134,3 +144,11 @@ allow shell ion_device:chr_file rw_file_perms;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+  fuse_device
+  hw_random_device
+  kmem_device
+}:chr_file ~getattr;
-- 
GitLab