relax appdomain efs_file neverallow rules [DO NOT MERGE]

During factory provisioning, some manufacturers may need to pull files from /factory (label efs_file and bluetooth_efs_file) to collect device specific identifiers such as the mac address, using commands similar to the following: adb shell cat /factory/ssn adb shell cat /factory/bt/bd_addr.conf adb shell cat /factory/wifi/mac.txt adb shell cat /factory/60isn read-only access to these files is currently disallowed by a neverallow rule. Relax the rules to allow read-only access to the shell user if desired. No new SELinux rules are added or deleted by this change. This is only a relaxation in what's allowed for vendor specific policy. Bug: 17600278 (cherry picked from commit 200a9f0e20) Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
2014-09-22 15:41:38 -07:00 · 2014-09-22 15:41:38 -07:00 · a8b651bfba
commit a8b651bfba
parent b4fcaeea34
1 changed files with 2 additions and 2 deletions
--- a/app.te
+++ b/app.te
@ -322,8 +322,8 @@ neverallow appdomain
    { create write setattr relabelfrom relabelto append unlink link rename };

 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;

 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }