From ddf98fa8cf11000f91329945abc23ee791adfe69 Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Thu, 31 Oct 2013 11:17:23 -0700
Subject: [PATCH] Neverallow access to the kmem device from userspace.

Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
---
 app.te        | 3 ---
 domain.te     | 4 ++++
 netd.te       | 3 ---
 unconfined.te | 2 +-
 4 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/app.te b/app.te
index 8e220ff24..6e95ffb40 100644
--- a/app.te
+++ b/app.te
@@ -137,9 +137,6 @@ neverallow { appdomain -unconfineddomain } self:capability2 *;
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
-
 # Access to any character device that is not specifically typed.
 neverallow { appdomain -unconfineddomain } device:chr_file { read write };
 
diff --git a/domain.te b/domain.te
index 4d411959c..55a7b8162 100644
--- a/domain.te
+++ b/domain.te
@@ -139,3 +139,7 @@ neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
diff --git a/netd.te b/netd.te
index d8d65c9a1..d60e3776b 100644
--- a/netd.te
+++ b/netd.te
@@ -64,9 +64,6 @@ allow netd device:sock_file write;
 # Block device access.
 neverallow netd dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow netd kmem_device:chr_file { read write };
-
 # Setting SELinux enforcing status or booleans.
 neverallow netd kernel:security { setenforce setbool };
 
diff --git a/unconfined.te b/unconfined.te
index 80f88b7bc..35db54f75 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -30,7 +30,7 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab