Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6fc134e3e529e2a79c754593b2ca660cabcd81ed^2..6fc134e3e529e2a79c754593b2ca660cabcd81ed / .
commit6fc134e3e529e2a79c754593b2ca660cabcd81ed[log] [tgz]
authorJeffrey Vander Stoep <jeffv@google.com>Thu Oct 29 18:11:04 2015 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Oct 29 18:11:04 2015 +0000
tree62a139094b1ccc63179b648d65519b3d5b2a7522
parente9d261ff17648e7d08f8fe86909ad0522fbbafb3 [diff]
parent94ee59bc4a3f769774294e87ac9a25dcbc042542 [diff]
Merge "audit mtp sync permission"
diff --git a/domain.te b/domain.te
index ee606a4..69cf04d 100644
--- a/domain.te
+++ b/domain.te

@@ -313,6 +313,8 @@
   -apk_data_file
 }:file no_x_file_perms;
 
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;

diff --git a/file.te b/file.te
index 244e8d5..383c3c5 100644
--- a/file.te
+++ b/file.te

@@ -91,6 +91,8 @@
 type bootchart_data_file, file_type, data_file_type;
 # /data/system/heapdump
 type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;

diff --git a/file_contexts b/file_contexts
index 2143a77..107c73c 100644
--- a/file_contexts
+++ b/file_contexts

@@ -244,6 +244,7 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
+/data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
 
 # Misc data

diff --git a/shell.te b/shell.te
index 39b599f..32ca20d 100644
--- a/shell.te
+++ b/shell.te

@@ -31,6 +31,12 @@
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+  allow shell nativetest_data_file:dir r_dir_perms;
+  allow shell nativetest_data_file:file rx_file_perms;
+')
+
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)