Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 34e35e9e9500608409920471dc05f12b9317338e^! / .
commit34e35e9e9500608409920471dc05f12b9317338e[log] [tgz]
authorSandeep Patil <sspatil@google.com>Tue Feb 20 12:41:30 2018 -0800
committerSandeep Patil <sspatil@google.com>Thu Feb 22 12:55:30 2018 -0800
tree27702f459cdc7443f9c82515df662c5ecfc808a7
parent63bcf4debbeb65078f3740e94a1b1b1e7e92b7bc [diff]
Add label for kernel test files and executables

This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>

diff --git a/private/file_contexts b/private/file_contexts
index 321cfbe..10a8a71 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -365,6 +365,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0

diff --git a/public/domain.te b/public/domain.te
index 11c7433..beb091c 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -452,6 +452,9 @@
   -apk_data_file
 }:file no_x_file_perms;
 
+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
 # Only the init property service should write to /data/property and /dev/__properties__
@@ -1180,7 +1183,6 @@
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{

diff --git a/public/init.te b/public/init.te
index afdc10e..f8a22b9 100644
--- a/public/init.te
+++ b/public/init.te

@@ -138,6 +138,7 @@
   -app_data_file
   -exec_type
   -misc_logd_file
+  -nativetest_data_file
   -system_app_data_file
   -system_file
   -vendor_file_type
@@ -149,6 +150,7 @@
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -163,6 +165,7 @@
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -176,6 +179,7 @@
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -189,6 +193,7 @@
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file

diff --git a/public/kernel.te b/public/kernel.te
index ba1dec9..c8521e3 100644
--- a/public/kernel.te
+++ b/public/kernel.te

@@ -66,6 +66,7 @@
 allow kernel asec_image_file:file read;
 
 # Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
   allow kernel update_engine_data_file:file read;
   allow kernel nativetest_data_file:file read;