Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / da4e51b71f77a98dbf2a34cc9465ad8feac4f4c0^! / .
commitda4e51b71f77a98dbf2a34cc9465ad8feac4f4c0[log] [tgz]
authorColin Cross <ccross@android.com>Mon Aug 31 16:11:11 2020 -0700
committerColin Cross <ccross@android.com>Tue Sep 01 11:17:19 2020 -0700
tree1e401d93ae1882b8d34964eefc471e83af9344c7
parent1be8dfacfd0ae865523bfe6937077bc66177f254 [diff]
Add shell_test_data_file for /data/local/tests

Add a domain for /data/local/tests which will be used by atest
to execute tests on devices as shell or root.

Bug: 138450837
Test: atest binderVendorDoubleLoadTest memunreachable_unit_test memunreachable_binder_test
Change-Id: Ia34314bd9430e21c8b3304ac079e3d9b5705e19c

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 835bc5e..690350c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -19,6 +19,7 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
+    shell_test_data_file
     sysfs_devices_cs_etm
     update_engine_stable_service
     cgroup_v2

diff --git a/private/file_contexts b/private/file_contexts
index 5cc5b9b..bd702d2 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -522,6 +522,7 @@
 /data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
+/data/local/tests(/.*)?	u:object_r:shell_test_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0

diff --git a/public/adbd.te b/public/adbd.te
index 68a176c..5056b35 100644
--- a/public/adbd.te
+++ b/public/adbd.te

@@ -6,3 +6,8 @@
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
 neverallow * adbd:process dyntransition;
+
+# Access /data/local/tests.
+allow adbd shell_test_data_file:dir create_dir_perms;
+allow adbd shell_test_data_file:file create_file_perms;
+allow adbd shell_test_data_file:lnk_file create_file_perms;

diff --git a/public/domain.te b/public/domain.te
index 745bb25..1bfdcea 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -471,6 +471,10 @@
 neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
+neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:file *;
+
 # Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };

diff --git a/public/file.te b/public/file.te
index b85882f..3d10999 100644
--- a/public/file.te
+++ b/public/file.te

@@ -308,6 +308,8 @@
 type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/nativetest
 type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local/tests
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system_de/0/ringtones
 type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/preloads

diff --git a/public/shell.te b/public/shell.te
index 822f4ca..ee90a63 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -25,6 +25,12 @@
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Access /data/local/tests.
+allow shell shell_test_data_file:dir create_dir_perms;
+allow shell shell_test_data_file:file create_file_perms;
+allow shell shell_test_data_file:file rx_file_perms;
+allow shell shell_test_data_file:lnk_file create_file_perms;
+
 # Read and delete from /data/local/traces.
 allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };