shell: enable hostside test: testAllBlockDevicesAreSecure
Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>
This commit is contained in:
parent
72c16e32f5
commit
e53d0b0bcc
@ -324,7 +324,13 @@ neverallow * default_android_service:service_manager add;
|
||||
neverallow { domain -init } default_prop:property_service set;
|
||||
neverallow { domain -init } mmc_prop:property_service set;
|
||||
|
||||
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-recovery
|
||||
-system_server
|
||||
-shell # Shell is further restricted in shell.te
|
||||
} frp_block_device:blk_file rw_file_perms;
|
||||
|
||||
# No domain other than recovery and update_engine can write to system partition(s).
|
||||
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
|
||||
|
9
shell.te
9
shell.te
@ -133,6 +133,12 @@ allow shell dev_type:chr_file getattr;
|
||||
# /dev/fd is a symlink
|
||||
allow shell proc:lnk_file getattr;
|
||||
|
||||
#
|
||||
# filesystem test for insucre blk_file's is done
|
||||
# via hostside test
|
||||
#
|
||||
allow shell dev_type:blk_file getattr;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
@ -152,3 +158,6 @@ neverallow shell {
|
||||
hw_random_device
|
||||
kmem_device
|
||||
}:chr_file ~getattr;
|
||||
|
||||
# Limit shell to only getattr on blk devices for host side tests.
|
||||
neverallow shell dev_type:blk_file ~getattr;
|
||||
|
Loading…
Reference in New Issue
Block a user