From e83b9f037c47f004391a8c947303a48548f79838 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 1 Jul 2016 10:36:38 -0400
Subject: [PATCH] appdomain: neverallow direct input_device access

Applications should not access /dev/input/* for events, but
rather use events handled via the activity mechanism.

Change-Id: I0182b6be1b7c69d96e4366ba59f14cee67be4beb
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 app.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app.te b/app.te
index 70b1c94e3..f166caa06 100644
--- a/app.te
+++ b/app.te
@@ -405,3 +405,9 @@ neverallow appdomain {
   system_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+  appdomain
+  -shell # bugreport
+} input_device:chr_file ~getattr;
-- 
GitLab