From a637b2f21eda997f6d1bcb8f2600a5ee3195785d Mon Sep 17 00:00:00 2001
From: William Roberts <wroberts@tresys.com>
Date: Thu, 30 Jan 2014 09:15:45 -0800
Subject: [PATCH] assert: Do not allow access to generic device:chr_file

Rather, enforce that a relabel should be done. This
tightens an existing assertion.

Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904
---
 app.te    | 3 ---
 domain.te | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 1aee3ac5d..c4b33314a 100644
--- a/app.te
+++ b/app.te
@@ -201,9 +201,6 @@ neverallow { appdomain -unconfineddomain } self:capability2 *;
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
 
-# Access to any character device that is not specifically typed.
-neverallow { appdomain -unconfineddomain } device:chr_file { read write };
-
 # Access to any of the following character devices.
 neverallow { appdomain -unconfineddomain } {
     audio_device
diff --git a/domain.te b/domain.te
index 13b977a9a..6f0ee1331 100644
--- a/domain.te
+++ b/domain.te
@@ -187,3 +187,8 @@ neverallow domain init:binder call;
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
 neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+# ueventd is exempt from this, as its managing these devices.
+neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
-- 
GitLab