Merge "domain.te & kernel.te: allow kernel to write nativetest_data_file"

117d69fd · Treehugger Robot · Gerrit Code Review · 2d01df0a · 64ff9e95 · 117d69fd
Commit 117d69fd authored May 16, 2018 by Treehugger Robot Committed by Gerrit Code Review May 16, 2018
--- a/public/domain.te
+++ b/public/domain.te
@@ -466,7 +466,7 @@ neverallow {
 }:file no_x_file_perms;
 # The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
 neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

--- a/public/kernel.te
+++ b/public/kernel.te
@@ -69,7 +69,7 @@ allow kernel asec_image_file:file read;
 # and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
  allow kernel update_engine_data_file:file read;
-  allow kernel nativetest_data_file:file read;
+  allow kernel nativetest_data_file:file { read write };
 ')
 # Access to /data/media.