Removing init and ueventd access to generic char files

am: 3171829a Change-Id: Ifef40c211276c8cdf576e10cb04753dcb150ad65

Removing init and ueventd access to generic char files
56ae3291 · Max Bires · android-build-merger · 2cf8777f · 3171829a · 56ae3291
Commit 56ae3291 authored 8 years ago by Max Bires Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
+neverallow domain device:chr_file { open read write };
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need

--- a/public/init.te
+++ b/public/init.te
@@ -195,8 +195,13 @@ userdebug_or_eng(`
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
 # only ever accessed by init.
 allow init device:file create_file_perms;
-# Access character devices without a specific type,
-# TODO: Remove this access and auditallow (b/33347297)
-allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
 # keychord configuration
 allow init self:capability sys_tty_config;
 allow init keychord_device:chr_file rw_file_perms;

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file rw_file_perms;
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)