Skip to content
Snippets Groups Projects
Commit 0722b5aa authored by Mark Salyzyn's avatar Mark Salyzyn
Browse files

init: drop /dev/keychord access 

Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5
parent 08aa7159
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
public/domain.te
+ 0
2
View file @ 0722b5aa
...@@ -366,9 +366,7 @@ neverallow { ...@@ -366,9 +366,7 @@ neverallow {
# b/78174219 b/64114943 # b/78174219 b/64114943
neverallow { neverallow {
domain domain
-init
-shell # stat of /dev, getattr only -shell # stat of /dev, getattr only
-vendor_init
-ueventd -ueventd
} keychord_device:chr_file *; } keychord_device:chr_file *;
......
public/init.te
+ 10
6
View file @ 0722b5aa
...@@ -234,6 +234,7 @@ allow init debugfs_wifi_tracing:file w_file_perms; ...@@ -234,6 +234,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
allow init { allow init {
fs_type fs_type
-contextmount_type -contextmount_type
-keychord_device
-proc_type -proc_type
-sdcard_type -sdcard_type
-sysfs_type -sysfs_type
...@@ -245,11 +246,12 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read ...@@ -245,11 +246,12 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read
# TODO: auditing to see if this can be deleted entirely # TODO: auditing to see if this can be deleted entirely
allow init { allow init {
dev_type dev_type
-keychord_device
-kmem_device -kmem_device
-port_device -port_device
-device -device
-vndbinder_device -vndbinder_device
}:chr_file { read open }; }:chr_file { read open };
auditallow init { auditallow init {
dev_type dev_type
-alarm_device -alarm_device
...@@ -262,7 +264,6 @@ auditallow init { ...@@ -262,7 +264,6 @@ auditallow init {
-hwbinder_device -hwbinder_device
-hw_random_device -hw_random_device
-input_device -input_device
-keychord_device
-kmem_device -kmem_device
-kmsg_device -kmsg_device
-null_device -null_device
...@@ -274,7 +275,12 @@ auditallow init { ...@@ -274,7 +275,12 @@ auditallow init {
}:chr_file { read open }; }:chr_file { read open };
# chown/chmod on devices. # chown/chmod on devices.
allow init { dev_type -kmem_device -port_device }:chr_file setattr; allow init {
dev_type
-keychord_device
-kmem_device
-port_device
}:chr_file setattr;
# Unlabeled file access for upgrades from 4.2. # Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom }; allow init unlabeled:dir { create_dir_perms relabelfrom };
...@@ -464,9 +470,7 @@ allow init hw_random_device:chr_file r_file_perms; ...@@ -464,9 +470,7 @@ allow init hw_random_device:chr_file r_file_perms;
# only ever accessed by init. # only ever accessed by init.
allow init device:file create_file_perms; allow init device:file create_file_perms;
# keychord configuration # keychord retrieval from /dev/input/ devices
allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
allow init input_device:dir r_dir_perms; allow init input_device:dir r_dir_perms;
allow init input_device:chr_file rw_file_perms; allow init input_device:chr_file rw_file_perms;
......
public/vendor_init.te
+ 2
0
View file @ 0722b5aa
...@@ -99,6 +99,7 @@ allow vendor_init debugfs_tracing:file w_file_perms; ...@@ -99,6 +99,7 @@ allow vendor_init debugfs_tracing:file w_file_perms;
allow vendor_init { allow vendor_init {
fs_type fs_type
-contextmount_type -contextmount_type
-keychord_device
-sdcard_type -sdcard_type
-rootfs -rootfs
-proc_uid_time_in_state -proc_uid_time_in_state
...@@ -119,6 +120,7 @@ allow vendor_init { ...@@ -119,6 +120,7 @@ allow vendor_init {
# chown/chmod on devices, e.g. /dev/ttyHS0 # chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init { allow vendor_init {
dev_type dev_type
-keychord_device
-kmem_device -kmem_device
-port_device -port_device
-lowpan_device -lowpan_device
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment