platform_system_sepolicy/public/tzdatacheck.te
Neil Fuller 5684f61fe2 Allow the shell user to run tzdatacheck
Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36
2017-04-20 09:31:36 +00:00

18 lines
1 KiB
Text

# The tzdatacheck command run by init.
type tzdatacheck, domain;
type tzdatacheck_exec, exec_type, file_type;
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
# Below are strong assertion that only init, system_server and tzdatacheck
# can modify the /data time zone rules directories. This is to make it very
# clear that only these domains should modify the actual time zone rules data.
# The tzdatacheck binary itself may be executed by shell for tests but it must
# not be able to modify the real rules.
# If other users / binaries could modify time zone rules on device this might
# have negative implications for users (who may get incorrect local times)
# or break assumptions made / invalidate data held by the components actually
# responsible for updating time zone rules.
neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;