Merge "init: access to /dev based on audit results"

368c7c08 · Tri Vo · Gerrit Code Review · 10b250df · 887ef163 · 368c7c08
Commit 368c7c08 authored 6 years ago by Tri Vo Committed by Gerrit Code Review 6 years ago
--- a/public/init.te
+++ b/public/init.te
@@ -251,36 +251,24 @@ allow init {
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
 allow init {
-  dev_type
+  alarm_device
-  -keychord_device
+  ashmem_device
-  -kmem_device
+  binder_device
-  -port_device
+  console_device
-  -device
+  devpts
-  -vndbinder_device
+  dm_device
-}:chr_file { read open };
+  hwbinder_device
-auditallow init {
+  hw_random_device
-  dev_type
+  input_device
-  -alarm_device
+  kmsg_device
-  -ashmem_device
+  null_device
-  -binder_device
+  owntty_device
-  -console_device
+  pmsg_device
-  -device
+  ptmx_device
-  -devpts
+  random_device
-  -dm_device
+  tty_device
-  -hwbinder_device
+  zero_device
-  -hw_random_device
-  -input_device
-  -kmem_device
-  -kmsg_device
-  -null_device
-  -owntty_device
-  -port_device
-  -ptmx_device
-  -random_device
-  -zero_device
 }:chr_file { read open };
 # chown/chmod on devices.