shell: enable hostside test: testAllBlockDevicesAreSecure

Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>

shell: enable hostside test: testAllBlockDevicesAreSecure
e53d0b0b · William Roberts · William C Roberts · 72c16e32 · e53d0b0b · e53d0b0b
Commit e53d0b0b authored 8 years ago by William Roberts Committed by William C Roberts 8 years ago
--- a/domain.te
+++ b/domain.te
@@ -324,7 +324,13 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+neverallow {
+  domain
+  -init
+  -recovery
+  -system_server
+  -shell # Shell is further restricted in shell.te
+} frp_block_device:blk_file rw_file_perms;
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;

--- a/shell.te
+++ b/shell.te
@@ -133,6 +133,12 @@ allow shell dev_type:chr_file getattr;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
 ###
 ### Neverallow rules
 ###
@@ -152,3 +158,6 @@ neverallow shell {
  hw_random_device
  kmem_device
 }:chr_file ~getattr;
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;