From 8b63356bd383026d7e179e4398080a6e3448e73f Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 9 Feb 2017 12:03:46 -0800
Subject: [PATCH] Address auditallow spam from init

Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.

In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.

Addresses various auditallow spam, including:

avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file

avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file

and others not covered above.

Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e
---
 public/init.te | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/public/init.te b/public/init.te
index fe8cdbb56..4d64aade6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -200,10 +200,24 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read
 allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
 auditallow init {
   dev_type
-  -kmem_device
-  -port_device
+  -alarm_device
+  -ashmem_device
+  -binder_device
+  -console_device
   -device
+  -devpts
+  -dm_device
+  -hwbinder_device
+  -hw_random_device
+  -keychord_device
+  -kmem_device
+  -kmsg_device
   -null_device
+  -owntty_device
+  -port_device
+  -ptmx_device
+  -random_device
+  -zero_device
 }:chr_file { read open };
 
 # chown/chmod on devices.
-- 
GitLab