From 0722b5aab6c54bdb3e481048ab2bd8c47679b7a1 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Wed, 9 May 2018 07:20:45 -0700
Subject: [PATCH] init: drop /dev/keychord access

Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5
---
 public/domain.te      |  2 --
 public/init.te        | 16 ++++++++++------
 public/vendor_init.te |  2 ++
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index c8b0bc137..5e43db9bd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -366,9 +366,7 @@ neverallow {
 # b/78174219 b/64114943
 neverallow {
   domain
-  -init
   -shell # stat of /dev, getattr only
-  -vendor_init
   -ueventd
 } keychord_device:chr_file *;
 
diff --git a/public/init.te b/public/init.te
index 5db0ab3bd..d3a3b1fa6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -234,6 +234,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
 allow init {
   fs_type
   -contextmount_type
+  -keychord_device
   -proc_type
   -sdcard_type
   -sysfs_type
@@ -245,11 +246,12 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read
 # TODO: auditing to see if this can be deleted entirely
 allow init {
   dev_type
+  -keychord_device
   -kmem_device
   -port_device
   -device
   -vndbinder_device
-  }:chr_file { read open };
+}:chr_file { read open };
 auditallow init {
   dev_type
   -alarm_device
@@ -262,7 +264,6 @@ auditallow init {
   -hwbinder_device
   -hw_random_device
   -input_device
-  -keychord_device
   -kmem_device
   -kmsg_device
   -null_device
@@ -274,7 +275,12 @@ auditallow init {
 }:chr_file { read open };
 
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file setattr;
+allow init {
+  dev_type
+  -keychord_device
+  -kmem_device
+  -port_device
+}:chr_file setattr;
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -464,9 +470,7 @@ allow init hw_random_device:chr_file r_file_perms;
 # only ever accessed by init.
 allow init device:file create_file_perms;
 
-# keychord configuration
-allow init self:global_capability_class_set sys_tty_config;
-allow init keychord_device:chr_file rw_file_perms;
+# keychord retrieval from /dev/input/ devices
 allow init input_device:dir r_dir_perms;
 allow init input_device:chr_file rw_file_perms;
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index f55b3e818..19d906b47 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -99,6 +99,7 @@ allow vendor_init debugfs_tracing:file w_file_perms;
 allow vendor_init {
   fs_type
   -contextmount_type
+  -keychord_device
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
@@ -119,6 +120,7 @@ allow vendor_init {
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
+  -keychord_device
   -kmem_device
   -port_device
   -lowpan_device
-- 
GitLab