uncrypt: drop generic block_device allow rules

Currently, uncrypt has write access to "block_device". This is the generic label used for a file in /dev/block which doesn't have a more specific label assigned to it. This is an overly broad grant. Commit a10f789d started the process of deprecating "block_device" access in favor of "misc_block_device". This change completes the deprecation and removes the overly broad grant. Also update the neverallow rules so that this overly broad rule cannot be reintroduced into uncrypt. Bug: 25091603 Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55

uncrypt: drop generic block_device allow rules
eb43e654 · Nick Kralevich · 3ec34ceb · eb43e654 · eb43e654
Commit eb43e654 authored 9 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -238,7 +238,7 @@ neverallow * init:binder *;

 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };

 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

--- a/uncrypt.te
+++ b/uncrypt.te
@@ -26,8 +26,6 @@ set_prop(uncrypt, powerctl_prop)

 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
 allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;