domain.te & kernel.te: allow kernel to write nativetest_data_file
to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3
for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html
Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit
Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
diff --git a/public/domain.te b/public/domain.te
index 7e41e96..cef538f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -466,7 +466,7 @@
}:file no_x_file_perms;
# The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index c8521e3..b7a351c 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -69,7 +69,7 @@
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
')
# Access to /data/media.