Disallow /misc access except for a few domains.

The misc_block_device partition is intended for the exclusive use of the OTA system, and components related to the OTA system. Disallow it's use by anyone else on user builds. On userdebug/eng builds, allow any domain to use this, since this appears to be used for testing purposes. Bug: 26470876 Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c

Disallow /misc access except for a few domains.
The misc_block_device partition is intended for the exclusive use of the OTA system, and components related to the OTA system. Disallow it's use by anyone else on user builds. On userdebug/eng builds, allow any domain to use this, since this appears to be used for testing purposes. Bug: 26470876 Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c
2c7a5f26 · Nick Kralevich · a8e7fe22 · 2c7a5f26
Commit 2c7a5f26 authored 8 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -317,6 +317,20 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file writ
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+  domain
+  userdebug_or_eng(`-domain') # exclude debuggable builds
+  -init
+  -uncrypt
+  -update_engine
+  -vold
+  -recovery
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 # Only servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager } *:binder set_context_mgr;