/dev/port does not seem to be used, adding in rules to confirm.

am: c27c23fb Change-Id: I28f0ec1eac5fa78ca1268089954c190c0e38b188

/dev/port does not seem to be used, adding in rules to confirm.
am: c27c23fb Change-Id: I28f0ec1eac5fa78ca1268089954c190c0e38b188
45c41f35 · Max · android-build-merger · 2643c6f7 · c27c23fb · 45c41f35
Commit 45c41f35 authored 8 years ago by Max Committed by android-build-merger 8 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -85,6 +85,7 @@
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
+/dev/port		u:object_r:port_device:s0
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0

--- a/public/device.te
+++ b/public/device.te
@@ -27,6 +27,7 @@ type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
+type port_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
 type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;

--- a/public/domain.te
+++ b/public/domain.te
@@ -268,13 +268,18 @@ neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow {
  domain
-  -init
-  -kernel
  -shell # For CTS and is restricted to getattr in shell.te
  -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+  domain
+  -shell # Shell user should not have any abilities outside of getattr
+  -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };

--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 # chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };

--- a/public/shell.te
+++ b/public/shell.te
@@ -178,6 +178,7 @@ neverallow shell {
  fuse_device
  hw_random_device
  kmem_device
+  port_device
 }:chr_file ~getattr;
 # Limit shell to only getattr on blk devices for host side tests.

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -46,5 +46,5 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };