Allow shell to get encryption policy for CTS Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test which checks that the device complies with the CDD requirements to use appropriate algorithms for file-based encryption. The information returned by these ioctls is already available in logcat, but scraping the log for a CTS test seems fragile; I assume that people would prefer a more robust solution. For more details see change I9082241066cba82b531e51f9a5aec14526467162 Bug: 111311698 Test: the CTS test works after this change. Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984

commit: b57af5d0e62f147a9462931f9ac2bda34dff8a19 [log] [tgz]
author: Eric Biggers <ebiggers@google.com> Fri Sep 27 13:33:27 2019 -0700
committer: Eric Biggers <ebiggers@google.com> Fri Sep 27 15:24:27 2019 -0700
tree: 03dd4efe5b54a96017b9ffff3abf9544838008c0
parent: e612ecd6ed9c54ded9e7e48797925eecbc829746 [diff]
diff --git a/private/shell.te b/private/shell.te
index 8a933a5..53a6a7a 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -79,3 +79,9 @@
 userdebug_or_eng(`
   set_prop(shell, linker_prop)
 ')
+
+# Allow shell to get encryption policy of /data/local/tmp/, for CTS
+allowxperm shell shell_data_file:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_GET_ENCRYPTION_POLICY_EX
+};
commit	b57af5d0e62f147a9462931f9ac2bda34dff8a19	[log] [tgz]
author	Eric Biggers <ebiggers@google.com>	Fri Sep 27 13:33:27 2019 -0700
committer	Eric Biggers <ebiggers@google.com>	Fri Sep 27 15:24:27 2019 -0700
tree	03dd4efe5b54a96017b9ffff3abf9544838008c0
parent	e612ecd6ed9c54ded9e7e48797925eecbc829746 [diff]