Merge "domain.te & kernel.te: allow kernel to write nativetest_data_file" into pi-dev
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index cccc651..e9337b6 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -466,7 +466,7 @@
}:file no_x_file_perms;
# The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te
index c8521e3..b7a351c 100644
--- a/prebuilts/api/28.0/public/kernel.te
+++ b/prebuilts/api/28.0/public/kernel.te
@@ -69,7 +69,7 @@
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
')
# Access to /data/media.
diff --git a/public/domain.te b/public/domain.te
index cccc651..e9337b6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -466,7 +466,7 @@
}:file no_x_file_perms;
# The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index c8521e3..b7a351c 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -69,7 +69,7 @@
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
')
# Access to /data/media.