Wider neverallow rules for coredomain /dev access.

"iio_device", "radio_device" must not be accessed by coredomain on all devices. And "tee_device" must not be accessed by coredomain on Treble devices. Bug: 110962171 Test: m selinux_policy Test: mmma system/sepolicy Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c

Wider neverallow rules for coredomain /dev access.
"iio_device", "radio_device" must not be accessed by coredomain on all devices. And "tee_device" must not be accessed by coredomain on Treble devices. Bug: 110962171 Test: m selinux_policy Test: mmma system/sepolicy Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
2725edc6 · Tri Vo · 9cded32f · 2725edc6
Commit 2725edc6 authored 6 years ago by Tri Vo
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,12 +169,12 @@ full_treble_only(`
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
-# Following /dev nodes must not be directly accessed by coredomain after Treble,
+# Following /dev nodes must not be directly accessed by coredomain, but should
-# but should instead be wrapped by HALs.
+# instead be wrapped by HALs.
-full_treble_only(`
+neverallow coredomain {
-  neverallow coredomain {
+  iio_device
-    iio_device
+  radio_device
-    radio_device
+  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
-    tee_device
+  # on non-Treble devices.
-  }:chr_file { open read append write ioctl };
+  full_treble_only(`tee_device')
-')
+}:chr_file { open read append write ioctl };