Remove kmem_device selinux type.

kmem_device was used to label /dev/mem and /dev/kmem. We already have multiple layers of protection against those /dev nodes being present on devices. CTS checks that /dev/mem and /dev/kmem don't exist: https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233 VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and CONFIG_DEVMEM disabled: https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2 Bug: 110962171 Test: m selinux_policy Change-Id: I246740684218dee0cddf81dabf84d4763a753cde

Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have multiple layers of protection against those /dev nodes being present on devices. CTS checks that /dev/mem and /dev/kmem don't exist: https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233 VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and CONFIG_DEVMEM disabled: https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2 Bug: 110962171 Test: m selinux_policy Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
c7f56cdc · Tri Vo · fb79404e · c7f56cdc · c7f56cdc · c7f56cdc
Commit c7f56cdc authored 6 years ago by Tri Vo
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
 (type commontime_management_service)
 (type full_device)
 (type i2c_device)
+(type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
 (type mtd_device)

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
 /dev/keychord   u:object_r:keychord_device:s0
-/dev/kmem		u:object_r:kmem_device:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
-/dev/mem		u:object_r:kmem_device:s0
 /dev/modem.*		u:object_r:radio_device:s0
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0

--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@ type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
-type kmem_device, dev_type;
 type port_device, dev_type;
 type lowpan_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;

--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@ neverallow {
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
-  domain
-  -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 #Ensure that nothing in userspace can access /dev/port
 neverallow {
  domain

--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@ allow init {
 allow init {
  dev_type
  -keychord_device
-  -kmem_device
  -port_device
 }:chr_file setattr;

--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@ neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_s
 neverallow shell {
  fuse_device
  hw_random_device
-  kmem_device
  port_device
 }:chr_file ~getattr;

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+# Only relabelto as we would never want to relabelfrom port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
 # Nobody should be able to ptrace ueventd
 neverallow * ueventd:process ptrace;
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@ allow vendor_init {
 allow vendor_init {
  dev_type
  -keychord_device
-  -kmem_device
  -port_device
  -lowpan_device
  -hw_random_device