am 3fc0df76: am a637b2f2: assert: Do not allow access to generic device:chr_file

* commit '3fc0df76': assert: Do not allow access to generic device:chr_file

am 3fc0df76: am a637b2f2: assert: Do not allow access to generic device:chr_file
65031d15 · William Roberts · Android Git Automerger · d65602ef · 3fc0df76 · 65031d15
Commit 65031d15 authored 11 years ago by William Roberts Committed by Android Git Automerger 11 years ago
--- a/app.te
+++ b/app.te
@@ -201,9 +201,6 @@ neverallow { appdomain -unconfineddomain } self:capability2 *;
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };

-# Access to any character device that is not specifically typed.
-neverallow { appdomain -unconfineddomain } device:chr_file { read write };
-
 # Access to any of the following character devices.
 neverallow { appdomain -unconfineddomain } {
    audio_device

--- a/domain.te
+++ b/domain.te
@@ -187,3 +187,8 @@ neverallow domain init:binder call;
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
 neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+# ueventd is exempt from this, as its managing these devices.
+neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };