assert: do not allow raw access to generic block_device

Rather then allowing open,read,write to raw block devices, one should relabel it to something more specific. vold should be re-worked so we can drop it from this assert. Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf
2014-01-30 09:10:28 -08:00 · 2014-01-30 09:10:28 -08:00 · d0919ec253
commit d0919ec253
parent b71dae828f
1 changed files with 4 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -183,3 +183,7 @@ neverallow domain init:process ptrace;
 # Init can't receive binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };