Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Nick Kralevich's avatar
    Create a new SELinux type for /data/nativetest · e9d261ff
    Nick Kralevich authored 
    1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
    e9d261ff
domain.te 19.24 KiB 
# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
allow domain tmpfs:lnk_file { read getattr };

# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;

# Intra-domain accesses.
allow domain self:process {
    fork
    sigchld
    sigkill
    sigstop
    signull
    signal
    getsched
    setsched
    getsession
    getpgid
    setpgid
    getcap
    setcap
    getattr
    setrlimit
};
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };

# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system_server:fd use;

# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };

userdebug_or_eng(`
  # Same as adbd rules above, except allow su to do the same thing
  allow domain su:unix_stream_socket connectto;
  allow domain su:fd use;
  allow domain su:unix_stream_socket { getattr getopt read write shutdown };

  binder_call({ domain -init }, su)

  # Running something like "pm dump com.android.bluetooth" requires
  # fifo writes
  allow domain su:fifo_file { write getattr };

  # allow "gdbserver --attach" to work for su.
  allow domain su:process sigchld;

  # Allow writing coredumps to /cores/*
  allow domain coredump_file:file create_file_perms;
  allow domain coredump_file:dir ra_dir_perms;
')

###
### Talk to debuggerd.