Removing init and ueventd access to generic char files am: 3171829a am: 56ae3291

am: ec4eece9 Change-Id: Ib19590277d3e6b0c8f2b4777f15858f4c995b9b5

Removing init and ueventd access to generic char files am: 3171829a am: 56ae3291
62e4a2a7 · Max Bires · android-build-merger · adce24c3 · ec4eece9 · 62e4a2a7
Commit 62e4a2a7 authored 8 years ago by Max Bires Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;

 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+neverallow domain device:chr_file { open read write };

 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need

--- a/public/init.te
+++ b/public/init.te
@@ -195,8 +195,13 @@ userdebug_or_eng(`
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };

+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;

 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
 # only ever accessed by init.
 allow init device:file create_file_perms;

-# Access character devices without a specific type,
-# TODO: Remove this access and auditallow (b/33347297)
-allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
-
 # keychord configuration
 allow init self:capability sys_tty_config;
 allow init keychord_device:chr_file rw_file_perms;

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;

 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file rw_file_perms;

 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)