From 2c7a5f26b96dc35310727b8e63c18445778dbbaa Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 14 Apr 2016 17:23:10 -0700
Subject: [PATCH] Disallow /misc access except for a few domains.

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876
Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c
---
 domain.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/domain.te b/domain.te
index 67019a0a4..b0d018e3a 100644
--- a/domain.te
+++ b/domain.te
@@ -317,6 +317,20 @@ neverallow { domain -recovery -update_engine } system_block_device:blk_file writ
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
 
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+  domain
+  userdebug_or_eng(`-domain') # exclude debuggable builds
+  -init
+  -uncrypt
+  -update_engine
+  -vold
+  -recovery
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
 # Only servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager } *:binder set_context_mgr;
 
-- 
GitLab