Add label for kernel test files and executables

This required for kernel to do loopback mounts on filesystem images created by the kernel system call tests in LTP. Add a corresponding neverallow to stop all domains from accessing the location at /data/local/tmp/ltp. Bug: 73220071 Test: Boot sailfish successfully Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04 Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca Signed-off-by: Sandeep Patil <sspatil@google.com>

Add label for kernel test files and executables
This required for kernel to do loopback mounts on filesystem images created by the kernel system call tests in LTP. Add a corresponding neverallow to stop all domains from accessing the location at /data/local/tmp/ltp. Bug: 73220071 Test: Boot sailfish successfully Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04 Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca Signed-off-by: Sandeep Patil <sspatil@google.com>
34e35e9e · Sandeep Patil · 63bcf4de · 34e35e9e · 34e35e9e · 34e35e9e
Commit 34e35e9e authored 7 years ago by Sandeep Patil
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,6 +365,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0

--- a/public/domain.te
+++ b/public/domain.te
@@ -452,6 +452,9 @@ neverallow {
  -apk_data_file
 }:file no_x_file_perms;
+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 # Only the init property service should write to /data/property and /dev/__properties__
@@ -1180,7 +1183,6 @@ neverallow {
  userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{

--- a/public/init.te
+++ b/public/init.te
@@ -138,6 +138,7 @@ allow init {
  -app_data_file
  -exec_type
  -misc_logd_file
+  -nativetest_data_file
  -system_app_data_file
  -system_file
  -vendor_file_type
@@ -149,6 +150,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -163,6 +165,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -176,6 +179,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file
@@ -189,6 +193,7 @@ allow init {
  -exec_type
  -keystore_data_file
  -misc_logd_file
+  -nativetest_data_file
  -shell_data_file
  -system_app_data_file
  -system_file

--- a/public/kernel.te
+++ b/public/kernel.te
@@ -66,6 +66,7 @@ allow kernel app_data_file:file read;
 allow kernel asec_image_file:file read;
 # Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
  allow kernel update_engine_data_file:file read;
  allow kernel nativetest_data_file:file read;