relax appdomain efs_file neverallow rules [DO NOT MERGE]
During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:
adb shell cat /factory/ssn
adb shell cat /factory/bt/bd_addr.conf
adb shell cat /factory/wifi/mac.txt
adb shell cat /factory/60isn
read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.
No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.
Bug: 17600278
(cherry picked from commit 200a9f0e20337b48824cf621a017e2852245e5ca)
Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
diff --git a/app.te b/app.te
index dbe3dc2..51fbe43 100644
--- a/app.te
+++ b/app.te
@@ -322,8 +322,8 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Access to factory files.
-neverallow appdomain
- efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }