diff --git a/public/domain.te b/public/domain.te index 5df7a4351..868901728 100644 --- a/public/domain.te +++ b/public/domain.te @@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. -# init is exempt from this as there are character devices that only it uses. -# ueventd is exempt from this, as it is managing these devices. -neverallow { domain -init -ueventd } device:chr_file { open read write }; +neverallow domain device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need diff --git a/public/init.te b/public/init.te index debdc398a..1bc2dc6a3 100644 --- a/public/init.te +++ b/public/init.te @@ -195,8 +195,13 @@ userdebug_or_eng(` allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; +# init should not be able to read or open generic devices +# TODO: auditing to see if this can be deleted entirely +allow init { dev_type -kmem_device -port_device -device }:chr_file { read open }; +auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open }; + # chown/chmod on devices. -allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr }; +allow init { dev_type -kmem_device -port_device }:chr_file setattr; # Unlabeled file access for upgrades from 4.2. allow init unlabeled:dir { create_dir_perms relabelfrom }; @@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms; # only ever accessed by init. allow init device:file create_file_perms; -# Access character devices without a specific type, -# TODO: Remove this access and auditallow (b/33347297) -allow init device:chr_file { rw_file_perms setattr }; -auditallow init device:chr_file { rw_file_perms setattr }; - # keychord configuration allow init self:capability sys_tty_config; allow init keychord_device:chr_file rw_file_perms; diff --git a/public/ueventd.te b/public/ueventd.te index 11235ed35..b0706c895 100644 --- a/public/ueventd.te +++ b/public/ueventd.te @@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd device:file create_file_perms; -allow ueventd device:chr_file rw_file_perms; -auditallow ueventd device:chr_file rw_file_perms; r_dir_file(ueventd, sysfs_type) r_dir_file(ueventd, rootfs)