/dev/port does not seem to be used, adding in rules to confirm.

Only init and ueventd have any access to /dev/port, and neither should have any use for it. As it stands, leaving port in just represents additional attack surface with no useful functionality, so it should be removed if possible, not only from Pixel devices, but from all Android devices. Test: The phone boots successfully Bug:33301618 Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f

/dev/port does not seem to be used, adding in rules to confirm.
c27c23fb · Max · 65ad9bc1 · c27c23fb · c27c23fb · c27c23fb
Commit c27c23fb authored 8 years ago by Max
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -85,6 +85,7 @@
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
+/dev/port		u:object_r:port_device:s0
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0

--- a/public/device.te
+++ b/public/device.te
@@ -27,6 +27,7 @@ type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
+type port_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
 type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;

--- a/public/domain.te
+++ b/public/domain.te
@@ -268,13 +268,18 @@ neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow {
  domain
-  -init
-  -kernel
  -shell # For CTS and is restricted to getattr in shell.te
  -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };

+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+  domain
+  -shell # Shell user should not have any abilities outside of getattr
+  -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };

--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };

 # chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };

 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };

--- a/public/shell.te
+++ b/public/shell.te
@@ -178,6 +178,7 @@ neverallow shell {
  fuse_device
  hw_random_device
  kmem_device
+  port_device
 }:chr_file ~getattr;

 # Limit shell to only getattr on blk devices for host side tests.

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -46,5 +46,5 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

-# Only relabelto as we would never want to relabelfrom kmem_device
-neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };