Create a new SELinux type for /data/nativetest
1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.
2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.
3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.
Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
diff --git a/domain.te b/domain.te
index ee606a4..69cf04d 100644
--- a/domain.te
+++ b/domain.te
@@ -313,6 +313,8 @@
-apk_data_file
}:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms;
diff --git a/file.te b/file.te
index 244e8d5..383c3c5 100644
--- a/file.te
+++ b/file.te
@@ -91,6 +91,8 @@
type bootchart_data_file, file_type, data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/file_contexts b/file_contexts
index 2143a77..107c73c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -244,6 +244,7 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
# Misc data
diff --git a/shell.te b/shell.te
index 39b599f..32ca20d 100644
--- a/shell.te
+++ b/shell.te
@@ -31,6 +31,12 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)