Skip to content
Snippets Groups Projects
Commit a8b651bf authored by Nick Kralevich's avatar Nick Kralevich Committed by Pat Tjin
Browse files

relax appdomain efs_file neverallow rules [DO NOT MERGE] 

During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:

  adb shell cat /factory/ssn
  adb shell cat /factory/bt/bd_addr.conf
  adb shell cat /factory/wifi/mac.txt
  adb shell cat /factory/60isn

read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.

No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.

Bug: 17600278

(cherry picked from commit 200a9f0e)

Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
parent b4fcaeea
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 2 deletions
app.te
+ 2
2
View file @ a8b651bf
...@@ -322,8 +322,8 @@ neverallow appdomain ...@@ -322,8 +322,8 @@ neverallow appdomain
{ create write setattr relabelfrom relabelto append unlink link rename }; { create write setattr relabelfrom relabelto append unlink link rename };
# Access to factory files. # Access to factory files.
neverallow appdomain neverallow appdomain efs_file:dir_file_class_set write;
efs_file:dir_file_class_set { read write }; neverallow { appdomain -shell } efs_file:dir_file_class_set read;
# Write to various pseudo file systems. # Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc } neverallow { appdomain -bluetooth -nfc }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment