From e53d0b0bccf2fd58ce4b4ea3324891937056089a Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 5 Apr 2016 08:19:27 -0700
Subject: [PATCH] shell: enable hostside test: testAllBlockDevicesAreSecure

Enable rules to allow shell to getattr on all block files
for checking modes under /dev/block.

Exempt shell from any neverallows on blk_file and limit them
to only getattr.

bug: 28306036
Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 8 +++++++-
 shell.te  | 9 +++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 2515be8ba..90103fa60 100644
--- a/domain.te
+++ b/domain.te
@@ -324,7 +324,13 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+neverallow {
+  domain
+  -init
+  -recovery
+  -system_server
+  -shell # Shell is further restricted in shell.te
+} frp_block_device:blk_file rw_file_perms;
 
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
diff --git a/shell.te b/shell.te
index e1bd1ed44..610ed3ff7 100644
--- a/shell.te
+++ b/shell.te
@@ -133,6 +133,12 @@ allow shell dev_type:chr_file getattr;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
 
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -152,3 +158,6 @@ neverallow shell {
   hw_random_device
   kmem_device
 }:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
-- 
GitLab