Add label for kernel test files and executables

am: 34e35e9e Change-Id: I22f991b650802739680404476a1521e2451729a5

Add label for kernel test files and executables
bf01e8e1 · Sandeep Patil · android-build-merger · 1b6c8a51 · 34e35e9e · bf01e8e1
Commit bf01e8e1 authored Feb 23, 2018 by Sandeep Patil Committed by android-build-merger Feb 23, 2018
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,6 +365,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0

--- a/public/domain.te
+++ b/public/domain.te
@@ -452,6 +452,9 @@ neverallow {
  -apk_data_file
 }:file no_x_file_perms;

+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

 # Only the init property service should write to /data/property and /dev/__properties__
@@ -1180,7 +1183,6 @@ neverallow {
  userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;

-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{

--- a/public/init.te
+++ b/public/init.te
@@ -138,6 +138,7 @@ allow init {
  -app_data_file
  -exec_type
  -misc_logd_file
+  -nativetest_data_file
  -system_app_data_file
  -system_file
  -vendor_file_type
@@ -149,6 +150,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -163,6 +165,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -176,6 +179,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -189,6 +193,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file

--- a/public/kernel.te
+++ b/public/kernel.te
@@ -66,6 +66,7 @@ allow kernel app_data_file:file read;
 allow kernel asec_image_file:file read;

 # Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
  allow kernel update_engine_data_file:file read;
  allow kernel nativetest_data_file:file read;