From e9d261ff17648e7d08f8fe86909ad0522fbbafb3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 28 Oct 2015 16:45:58 -0700
Subject: [PATCH] Create a new SELinux type for /data/nativetest

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
---
 domain.te     | 2 ++
 file.te       | 2 ++
 file_contexts | 1 +
 shell.te      | 6 ++++++
 4 files changed, 11 insertions(+)

diff --git a/domain.te b/domain.te
index ee606a4b1..69cf04d7c 100644
--- a/domain.te
+++ b/domain.te
@@ -313,6 +313,8 @@ neverallow {
   -apk_data_file
 }:file no_x_file_perms;
 
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
diff --git a/file.te b/file.te
index 244e8d5da..383c3c5a9 100644
--- a/file.te
+++ b/file.te
@@ -91,6 +91,8 @@ type property_data_file, file_type, data_file_type;
 type bootchart_data_file, file_type, data_file_type;
 # /data/system/heapdump
 type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/file_contexts b/file_contexts
index 2143a77e7..107c73c2d 100644
--- a/file_contexts
+++ b/file_contexts
@@ -244,6 +244,7 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
+/data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
 
 # Misc data
diff --git a/shell.te b/shell.te
index 39b599fca..32ca20dbf 100644
--- a/shell.te
+++ b/shell.te
@@ -31,6 +31,12 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+  allow shell nativetest_data_file:dir r_dir_perms;
+  allow shell nativetest_data_file:file rx_file_perms;
+')
+
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)
 
-- 
GitLab