From c27c23fbdbe45fd6d08b16c0d86b42865f0403f4 Mon Sep 17 00:00:00 2001
From: Max <jbires@google.com>
Date: Sun, 4 Dec 2016 15:11:29 -0800
Subject: [PATCH] /dev/port does not seem to be used, adding in rules to
 confirm.

Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
---
 private/file_contexts | 1 +
 public/device.te      | 1 +
 public/domain.te      | 9 +++++++--
 public/init.te        | 2 +-
 public/shell.te       | 1 +
 public/ueventd.te     | 4 ++--
 6 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/private/file_contexts b/private/file_contexts
index 597c9148a..4719f1054 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -85,6 +85,7 @@
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
+/dev/port		u:object_r:port_device:s0
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0
diff --git a/public/device.te b/public/device.te
index f01dc6619..93f3e8896 100644
--- a/public/device.te
+++ b/public/device.te
@@ -27,6 +27,7 @@ type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
+type port_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
 type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index c78af0756..30dbd7e73 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -268,13 +268,18 @@ neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow {
   domain
-  -init
-  -kernel
   -shell # For CTS and is restricted to getattr in shell.te
   -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+  domain
+  -shell # Shell user should not have any abilities outside of getattr
+  -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
diff --git a/public/init.te b/public/init.te
index 235f70c35..2e2e16cfc 100644
--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 # chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
diff --git a/public/shell.te b/public/shell.te
index b00c9efd4..591dabc98 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -178,6 +178,7 @@ neverallow shell {
   fuse_device
   hw_random_device
   kmem_device
+  port_device
 }:chr_file ~getattr;
 
 # Limit shell to only getattr on blk devices for host side tests.
diff --git a/public/ueventd.te b/public/ueventd.te
index 46787c4de..3f1dcd473 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -46,5 +46,5 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
 
-# Only relabelto as we would never want to relabelfrom kmem_device
-neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
-- 
GitLab