From 3171829af321113841b1d0da0ce82490190b8367 Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Fri, 27 Jan 2017 12:39:45 -0800
Subject: [PATCH] Removing init and ueventd access to generic char files

There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
---
 public/domain.te  |  4 +---
 public/init.te    | 12 ++++++------
 public/ueventd.te |  2 --
 3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 5df7a4351..868901728 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+neverallow domain device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/public/init.te b/public/init.te
index debdc398a..1bc2dc6a3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -195,8 +195,13 @@ userdebug_or_eng(`
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
 # only ever accessed by init.
 allow init device:file create_file_perms;
 
-# Access character devices without a specific type,
-# TODO: Remove this access and auditallow (b/33347297)
-allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
-
 # keychord configuration
 allow init self:capability sys_tty_config;
 allow init keychord_device:chr_file rw_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 11235ed35..b0706c895 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file rw_file_perms;
 
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
-- 
GitLab