domain: Restore original neverallow rules for shipping builds

MR1 CTS validates the integrity of neverallow rules, so we can't change them Fixes android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules82 Change-Id: If8d3e26355a0774edee60ac9293a58eb48dc1b48
TeslaOS · Jun 16, 2015 · 1d7bc1d · 1d7bc1d
1 parent d2a9e97
commit 1d7bc1d
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/Android.mk b/Android.mk
@@ -113,6 +113,7 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D shipping_build=$(CYNGN_TARGET) \
 		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

diff --git a/domain.te b/domain.te
@@ -299,7 +299,11 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;
+ifelse(shipping_build, `true',
+  `neverallow domain {fs_type -contextmount_type}:filesystem relabelto;'
+,
+  `neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;'
+)
 
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=

diff --git a/file.te b/file.te
@@ -31,7 +31,12 @@ type shm, fs_type;
 type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
-type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;
+ifelse(shipping_build, `true',
+  # Dummy this out in shipping to avoid breaking code mentioning the label
+  `typealias vfat alias sdcard_posix;'
+,
+  `type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;'
+)
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;

diff --git a/vold.te b/vold.te
@@ -13,7 +13,9 @@ allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
 allow vold sdcard_type:dir mounton;
 allow vold sdcard_type:filesystem { mount remount unmount };
-allow vold sdcard_posix:filesystem { relabelto relabelfrom };
+ifelse(shipping_build, `true', ,
+  allow vold sdcard_posix:filesystem { relabelto relabelfrom };
+)
 allow vold labeledfs:filesystem { relabelfrom };
 allow vold sdcard_type:dir create_dir_perms;
 allow vold sdcard_type:file create_file_perms;