adbd/shell: grant access to sepolicy for cts

Test: Test: make cts && \ cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan Fails as expected. Bug: 36002573 Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0

adbd/shell: grant access to sepolicy for cts
Test: Test: make cts && \ cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan Fails as expected. Bug: 36002573 Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
892d1e40 · Jeff Vander Stoep · ed82acb9 · 892d1e40 · 892d1e40
Commit 892d1e40 authored 7 years ago by Jeff Vander Stoep
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -103,6 +103,8 @@ allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
 allow adbd file_contexts_file:file r_file_perms;
 allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

--- a/public/shell.te
+++ b/public/shell.te
@@ -147,6 +147,13 @@ allow shell proc:lnk_file getattr;
 #
 allow shell dev_type:blk_file getattr;
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
 ###
 ### Neverallow rules
 ###