Merge "Allow system_server access to hidraw devices." into main am: 27bb0c60f6

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2855126 Change-Id: I6afaec68f2dc3f3436c6894d36e30ebcce874642 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-12-01 18:45:33 +00:00 · 2023-12-01 18:45:33 +00:00 · 4ea95b1730
commit 4ea95b1730
parent 2ca6c9a46a 27bb0c60f6
6 changed files with 10 additions and 0 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -150,6 +150,8 @@
 /dev/gnss10                                                       gnss_device
 /dev/graphics                                                     graphics_device
 /dev/graphics/test                                                graphics_device
+/dev/hidraw0                                                      hidraw_device
+/dev/hidraw1                                                      hidraw_device
 /dev/hw_random                                                    hw_random_device
 /dev/hwbinder                                                     hwbinder_device
 /dev/input                                                        input_device
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -295,3 +295,6 @@ neverallow {
 # anon_inode usages like userfaultfd and io_uring. This prevents us from
 # creating a more fine-grained neverallow policy for each anon_inode usage.
 neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@ -16,6 +16,7 @@
    hal_macsec_service
    hal_remotelyprovisionedcomponent_avf_service
    hal_threadnetwork_service
+    hidraw_device
    virtual_camera_service
    ot_daemon_service
    pm_archiving_enabled_prop
--- a/private/file_contexts
+++ b/private/file_contexts
@ -127,6 +127,7 @@
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/gnss[0-9]+		u:object_r:gnss_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+	u:object_r:hidraw_device:s0
 /dev/hw_random		u:object_r:hw_random_device:s0
 /dev/hwbinder		u:object_r:hwbinder_device:s0
 /dev/input(/.*)?	u:object_r:input_device:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -480,6 +480,8 @@ allow system_server adbd_socket:sock_file rw_file_perms;
 allow system_server rtc_device:chr_file rw_file_perms;
 allow system_server audio_device:dir r_dir_perms;
 allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;

 # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
--- a/public/device.te
+++ b/public/device.te
@ -64,6 +64,7 @@ type gnss_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;
+type hidraw_device, dev_type;

 # All devices have a uart for the hci
 # attach service. The uart dev node