From 34e35e9e9500608409920471dc05f12b9317338e Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Tue, 20 Feb 2018 12:41:30 -0800
Subject: [PATCH] Add label for kernel test files and executables

This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/file_contexts | 1 +
 public/domain.te      | 4 +++-
 public/init.te        | 5 +++++
 public/kernel.te      | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/private/file_contexts b/private/file_contexts
index 321cfbe72..10a8a71b3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,6 +365,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
diff --git a/public/domain.te b/public/domain.te
index 11c743387..beb091cc4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -452,6 +452,9 @@ neverallow {
   -apk_data_file
 }:file no_x_file_perms;
 
+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
 # Only the init property service should write to /data/property and /dev/__properties__
@@ -1180,7 +1183,6 @@ neverallow {
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{
diff --git a/public/init.te b/public/init.te
index afdc10ed1..f8a22b9cd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -138,6 +138,7 @@ allow init {
   -app_data_file
   -exec_type
   -misc_logd_file
+  -nativetest_data_file
   -system_app_data_file
   -system_file
   -vendor_file_type
@@ -149,6 +150,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -163,6 +165,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -176,6 +179,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -189,6 +193,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
diff --git a/public/kernel.te b/public/kernel.te
index ba1dec95c..c8521e329 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -66,6 +66,7 @@ allow kernel app_data_file:file read;
 allow kernel asec_image_file:file read;
 
 # Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
   allow kernel update_engine_data_file:file read;
   allow kernel nativetest_data_file:file read;
-- 
GitLab