Skip to content
Snippets Groups Projects
Commit e9d261ff authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Create a new SELinux type for /data/nativetest 

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
parent 89424bf9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 2
0
View file @ e9d261ff
...@@ -313,6 +313,8 @@ neverallow { ...@@ -313,6 +313,8 @@ neverallow {
-apk_data_file -apk_data_file
}:file no_x_file_perms; }:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property. # Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms; neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms; neverallow { domain -init } property_data_file:file no_w_file_perms;
......
file.te
+ 2
0
View file @ e9d261ff
...@@ -91,6 +91,8 @@ type property_data_file, file_type, data_file_type; ...@@ -91,6 +91,8 @@ type property_data_file, file_type, data_file_type;
type bootchart_data_file, file_type, data_file_type; type bootchart_data_file, file_type, data_file_type;
# /data/system/heapdump # /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, mlstrustedobject; type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type;
# Mount locations managed by vold # Mount locations managed by vold
type mnt_media_rw_file, file_type; type mnt_media_rw_file, file_type;
......
file_contexts
+ 1
0
View file @ e9d261ff
...@@ -244,6 +244,7 @@ ...@@ -244,6 +244,7 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0 /data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0 /data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0 /data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0 /data/property(/.*)? u:object_r:property_data_file:s0
# Misc data # Misc data
......
shell.te
+ 6
0
View file @ e9d261ff
...@@ -31,6 +31,12 @@ allow shell shell_data_file:file create_file_perms; ...@@ -31,6 +31,12 @@ allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms; allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms; allow shell shell_data_file:lnk_file create_file_perms;
# Read/execute files in /data/nativetest
userdebug_or_eng(`
allow shell nativetest_data_file:dir r_dir_perms;
allow shell nativetest_data_file:file rx_file_perms;
')
# adb bugreport # adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate) unix_socket_connect(shell, dumpstate, dumpstate)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment