relax appdomain efs_file neverallow rules During factory provisioning, some manufacturers may need to pull files from /factory (label efs_file and bluetooth_efs_file) to collect device specific identifiers such as the mac address, using commands similar to the following: adb shell cat /factory/ssn adb shell cat /factory/bt/bd_addr.conf adb shell cat /factory/wifi/mac.txt adb shell cat /factory/60isn read-only access to these files is currently disallowed by a neverallow rule. Relax the rules to allow read-only access to the shell user if desired. No new SELinux rules are added or deleted by this change. This is only a relaxation in what's allowed for vendor specific policy. Bug: 17600278 Change-Id: I13f33f996c077918dce70a5cff31a87eac436678

commit: 200a9f0e20337b48824cf621a017e2852245e5ca [log] [tgz]
author: Nick Kralevich <nnk@google.com> Mon Sep 22 15:41:38 2014 -0700
committer: Nick Kralevich <nnk@google.com> Mon Sep 22 22:49:00 2014 +0000
tree: 335e965250181c369a80f4e63262bed51fc9f5f0
parent: 642b80427ec2e95eb13cf03a74d814f240813e71 [diff]
diff --git a/app.te b/app.te
index 1fb53e6..2a6b270 100644
--- a/app.te
+++ b/app.te

@@ -316,8 +316,8 @@
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }
commit	200a9f0e20337b48824cf621a017e2852245e5ca	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Mon Sep 22 15:41:38 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Mon Sep 22 22:49:00 2014 +0000
tree	335e965250181c369a80f4e63262bed51fc9f5f0
parent	642b80427ec2e95eb13cf03a74d814f240813e71 [diff]