init: lock down access to keychord_device

The out-of-tree keychord driver is only intended for use by init. Test: build Bug: 64114943 Bug: 78174219 Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

init: lock down access to keychord_device
8daacf64 · Mark Salyzyn · ae0b835c · 8daacf64
Commit 8daacf64 authored 6 years ago by Mark Salyzyn
--- a/public/domain.te
+++ b/public/domain.te
@@ -363,6 +363,14 @@ neverallow {
  -system_server
  -ueventd
 } hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+  domain
+  -init
+  -shell # stat of /dev, getattr only
+  -vendor_init
+  -ueventd
+} keychord_device:chr_file *;
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;