shell: enable hostside test: testAllBlockDevicesAreSecure

am: e53d0b0b

* commit 'e53d0b0b':
  shell: enable hostside test: testAllBlockDevicesAreSecure

Change-Id: If8f7df6f704c0217d687c5128fe649db6b690a68

domain.te

@@ -324,7 +324,13 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+neverallow {
+  domain
+  -init
+  -recovery
+  -system_server
+  -shell # Shell is further restricted in shell.te
+} frp_block_device:blk_file rw_file_perms;
 
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;

shell.te

@@ -133,6 +133,12 @@ allow shell dev_type:chr_file getattr;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
 
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -152,3 +158,6 @@ neverallow shell {
   hw_random_device
   kmem_device
 }:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;