Create a new SELinux type for /data/nativetest 1) Don't use the generic "system_data_file" for the files in /data/nativetest. Rather, ensure it has it's own special label. This allows us to distinguish these files from other files in SELinux policy. 2) Allow the shell user to execute files from /data/nativetest, on userdebug or eng builds only. 3) Add a neverallow rule (compile time assertion + CTS test) that nobody is allowed to execute these files on user builds, and only the shell user is allowed to execute these files on userdebug/eng builds. Bug: 25340994 Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

commit: e9d261ff17648e7d08f8fe86909ad0522fbbafb3 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Oct 28 16:45:58 2015 -0700
committer: Nick Kralevich <nnk@google.com> Wed Oct 28 17:00:30 2015 -0700
tree: 43a9ad4ea749e416787fa4e5be55e491ef0cd1f8
parent: 89424bf9470931df90afa4f6d141b3696ad5a632 [diff] [blame]
diff --git a/file_contexts b/file_contexts
index 2143a77..107c73c 100644
--- a/file_contexts
+++ b/file_contexts

@@ -244,6 +244,7 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
+/data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
 
 # Misc data
commit	e9d261ff17648e7d08f8fe86909ad0522fbbafb3	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Oct 28 16:45:58 2015 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Oct 28 17:00:30 2015 -0700
tree	43a9ad4ea749e416787fa4e5be55e491ef0cd1f8
parent	89424bf9470931df90afa4f6d141b3696ad5a632 [diff] [blame]