From c7f56cdc83b958defa5a27dd12be1783db1b4b2f Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 13 Nov 2018 17:55:06 -0800
Subject: [PATCH] Remove kmem_device selinux type.

kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
---
 private/compat/28.0/28.0.cil | 1 +
 private/file_contexts        | 2 --
 public/device.te             | 1 -
 public/domain.te             | 8 --------
 public/init.te               | 1 -
 public/shell.te              | 1 -
 public/ueventd.te            | 4 ++--
 public/vendor_init.te        | 1 -
 8 files changed, 3 insertions(+), 16 deletions(-)

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b8134b..790642184 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
 (type commontime_management_service)
 (type full_device)
 (type i2c_device)
+(type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
 (type mtd_device)
diff --git a/private/file_contexts b/private/file_contexts
index 282120ca2..9ef18e2c3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
 /dev/keychord   u:object_r:keychord_device:s0
-/dev/kmem		u:object_r:kmem_device:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
-/dev/mem		u:object_r:kmem_device:s0
 /dev/modem.*		u:object_r:radio_device:s0
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
diff --git a/public/device.te b/public/device.te
index 36a060b72..a4f7f01fe 100644
--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@ type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
-type kmem_device, dev_type;
 type port_device, dev_type;
 type lowpan_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 0a47bc6d6..0843a222f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@ neverallow {
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
-  domain
-  -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
 #Ensure that nothing in userspace can access /dev/port
 neverallow {
   domain
diff --git a/public/init.te b/public/init.te
index c2938ad15..c06e53853 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@ allow init {
 allow init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
 }:chr_file setattr;
 
diff --git a/public/shell.te b/public/shell.te
index cef1b0a35..26f44f6f4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@ neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_s
 neverallow shell {
   fuse_device
   hw_random_device
-  kmem_device
   port_device
 }:chr_file ~getattr;
 
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302dd..cc4e30bf5 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
 
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
 
 # Nobody should be able to ptrace ueventd
 neverallow * ueventd:process ptrace;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733d9..5ecd2a103 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@ allow vendor_init {
 allow vendor_init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
   -lowpan_device
   -hw_random_device
-- 
GitLab