From f617a404c2d3d43e1146a7237752aa1baab68918 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 24 Aug 2018 11:57:49 -0700
Subject: [PATCH] auditallow shell input_device:chr_file

Test to see if anyone is writing to /dev/input from the shell.

Bug: 30861057
Test: device boots and no avc granted messages.
Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f
---
 public/shell.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/shell.te b/public/shell.te
index 31408a0e3..6c9370307 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -45,8 +45,14 @@ unix_socket_connect(shell, dumpstate, dumpstate)
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
+
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
+# b/30861057: TODO: No shell write access to existing input devices
+userdebug_or_eng(`
+  auditallow shell input_device:chr_file write;
+')
+
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
-- 
GitLab