Wider neverallow rules for coredomain /dev access. am: 2725edc6

am: 75425e23 Change-Id: I17c7cdfaa32b0be3b64a80ee848680dedfac046c

Wider neverallow rules for coredomain /dev access. am: 2725edc6
am: 75425e23 Change-Id: I17c7cdfaa32b0be3b64a80ee848680dedfac046c
846890d0 · Tri Vo · android-build-merger · 6441898b · 75425e23 · 846890d0
Commit 846890d0 authored 6 years ago by Tri Vo Committed by android-build-merger 6 years ago
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,12 +169,12 @@ full_treble_only(`
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')

-# Following /dev nodes must not be directly accessed by coredomain after Treble,
-# but should instead be wrapped by HALs.
-full_treble_only(`
-  neverallow coredomain {
-    iio_device
-    radio_device
-    tee_device
-  }:chr_file { open read append write ioctl };
-')
+# Following /dev nodes must not be directly accessed by coredomain, but should
+# instead be wrapped by HALs.
+neverallow coredomain {
+  iio_device
+  radio_device
+  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
+  # on non-Treble devices.
+  full_treble_only(`tee_device')
+}:chr_file { open read append write ioctl };