Drop sys_rawio neverallow for tee

The new Nexus 5 tee implementation requires raw block I/O for anti-rollback protection. Bug: 15777869 Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396

Drop sys_rawio neverallow for tee
The new Nexus 5 tee implementation requires raw block I/O for anti-rollback protection. Bug: 15777869 Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396
b59dc27a · Nick Kralevich · f5835666 · b59dc27a
Commit b59dc27a authored 10 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -169,8 +169,11 @@ neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set c
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
-# Limit device node creation and raw I/O to these whitelisted domains.
+# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+# Limit raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow domain self:memprotect mmap_zero;