diff --git a/public/domain.te b/public/domain.te index c8b0bc137f5d2675b4c0a948bf270466ac84a422..5e43db9bd0bd76d5312a08babc04b65ca9256403 100644 --- a/public/domain.te +++ b/public/domain.te @@ -366,9 +366,7 @@ neverallow { # b/78174219 b/64114943 neverallow { domain - -init -shell # stat of /dev, getattr only - -vendor_init -ueventd } keychord_device:chr_file *; diff --git a/public/init.te b/public/init.te index 5db0ab3bdec83abae66446b2e0979325b44df604..d3a3b1fa69d1dcd4a81ba89608a3c527c856be18 100644 --- a/public/init.te +++ b/public/init.te @@ -234,6 +234,7 @@ allow init debugfs_wifi_tracing:file w_file_perms; allow init { fs_type -contextmount_type + -keychord_device -proc_type -sdcard_type -sysfs_type @@ -245,11 +246,12 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read # TODO: auditing to see if this can be deleted entirely allow init { dev_type + -keychord_device -kmem_device -port_device -device -vndbinder_device - }:chr_file { read open }; +}:chr_file { read open }; auditallow init { dev_type -alarm_device @@ -262,7 +264,6 @@ auditallow init { -hwbinder_device -hw_random_device -input_device - -keychord_device -kmem_device -kmsg_device -null_device @@ -274,7 +275,12 @@ auditallow init { }:chr_file { read open }; # chown/chmod on devices. -allow init { dev_type -kmem_device -port_device }:chr_file setattr; +allow init { + dev_type + -keychord_device + -kmem_device + -port_device +}:chr_file setattr; # Unlabeled file access for upgrades from 4.2. allow init unlabeled:dir { create_dir_perms relabelfrom }; @@ -464,9 +470,7 @@ allow init hw_random_device:chr_file r_file_perms; # only ever accessed by init. allow init device:file create_file_perms; -# keychord configuration -allow init self:global_capability_class_set sys_tty_config; -allow init keychord_device:chr_file rw_file_perms; +# keychord retrieval from /dev/input/ devices allow init input_device:dir r_dir_perms; allow init input_device:chr_file rw_file_perms; diff --git a/public/vendor_init.te b/public/vendor_init.te index f55b3e818263f91bd5f27dca1c548b788e902916..19d906b47d871b6e3533053f7a1489f25cf348ba 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -99,6 +99,7 @@ allow vendor_init debugfs_tracing:file w_file_perms; allow vendor_init { fs_type -contextmount_type + -keychord_device -sdcard_type -rootfs -proc_uid_time_in_state @@ -119,6 +120,7 @@ allow vendor_init { # chown/chmod on devices, e.g. /dev/ttyHS0 allow vendor_init { dev_type + -keychord_device -kmem_device -port_device -lowpan_device