shell: enable hostside test: testAllBlockDevicesAreSecure

Enable rules to allow shell to getattr on all block files
for checking modes under /dev/block.

Exempt shell from any neverallows on blk_file and limit them
to only getattr.

bug: 28306036
Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196
Signed-off-by: William Roberts <william.c.roberts@intel.com>

domain.te

@@ -324,7 +324,13 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+neverallow {
+  domain
+  -init
+  -recovery
+  -system_server
+  -shell # Shell is further restricted in shell.te
+} frp_block_device:blk_file rw_file_perms;
 
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;

shell.te

@@ -133,6 +133,12 @@ allow shell dev_type:chr_file getattr;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
 
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -152,3 +158,6 @@ neverallow shell {
   hw_random_device
   kmem_device
 }:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;