From 63b33dc2db9587f7bc0ba721b44d498945cee140 Mon Sep 17 00:00:00 2001
From: Elliott Hughes <enh@google.com>
Date: Tue, 26 Jul 2016 09:46:20 -0700
Subject: [PATCH] Simplify /dev/kmsg SELinux policy.

Bug: http://b/30317429
Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee
Test: adb shell dmesg | grep ueventd
---
 device.te     | 1 -
 file_contexts | 1 -
 kernel.te     | 3 +--
 ueventd.te    | 6 ++----
 4 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/device.te b/device.te
index e3ddb95f2..e4a792e2c 100644
--- a/device.te
+++ b/device.te
@@ -51,7 +51,6 @@ type uio_device, dev_type;
 type tun_device, dev_type, mlstrustedobject;
 type usbaccessory_device, dev_type, mlstrustedobject;
 type usb_device, dev_type, mlstrustedobject;
-type klog_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type i2c_device, dev_type;
diff --git a/file_contexts b/file_contexts
index 508918359..39c006d6e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -136,7 +136,6 @@
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
-/dev/__kmsg__		u:object_r:klog_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 #############################
 # System files
diff --git a/kernel.te b/kernel.te
index 05aaf831a..adab08567 100644
--- a/kernel.te
+++ b/kernel.te
@@ -41,8 +41,7 @@ allow kernel self:capability sys_resource;
 allow kernel self:capability sys_boot;
 allow kernel proc_sysrq:file w_file_perms;
 
-# Allow writing to /dev/__kmsg__ which was created prior to
-# loading policy
+# Allow writing to /dev/kmsg which was created prior to loading policy.
 allow kernel tmpfs:chr_file write;
 
 # Set checkreqprot by init.rc prior to switching to init domain.
diff --git a/ueventd.te b/ueventd.te
index ec7e9a1ac..f1576e750 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -3,10 +3,8 @@
 type ueventd, domain, domain_deprecated;
 tmpfs_domain(ueventd)
 
-# TODO: why is ueventd using __kmsg__ when it should just create
-# and use /dev/kmsg instead?
-type_transition ueventd device:chr_file klog_device "__kmsg__";
-allow ueventd klog_device:chr_file { create open write unlink };
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-- 
GitLab