From a8b651bfba433ab91b565fea5276ceb7743ad15a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 22 Sep 2014 15:41:38 -0700
Subject: [PATCH] relax appdomain efs_file neverallow rules [DO NOT MERGE]

During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:

  adb shell cat /factory/ssn
  adb shell cat /factory/bt/bd_addr.conf
  adb shell cat /factory/wifi/mac.txt
  adb shell cat /factory/60isn

read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.

No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.

Bug: 17600278

(cherry picked from commit 200a9f0e20337b48824cf621a017e2852245e5ca)

Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
---
 app.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index dbe3dc2b3..51fbe439f 100644
--- a/app.te
+++ b/app.te
@@ -322,8 +322,8 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }
-- 
GitLab