From 24a7f1679fed8783aa20501d5df93296d4c540c1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 14 Apr 2016 17:23:10 -0700
Subject: [PATCH] Disallow /misc access except for a few domains.

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876

(cherry picked from commit 2c7a5f26b96dc35310727b8e63c18445778dbbaa)

Change-Id: I40c80fa62651a0135e1f07a5e07d2ef65ba04139
---
 domain.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/domain.te b/domain.te
index 8ff05a5a2..2b4f68ce7 100644
--- a/domain.te
+++ b/domain.te
@@ -351,6 +351,20 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file writ
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
 
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+  domain
+  userdebug_or_eng(`-domain') # exclude debuggable builds
+  -init
+  -uncrypt
+  -update_engine
+  -vold
+  -recovery
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
 # Only servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager } *:binder set_context_mgr;
 
-- 
GitLab