From d0919ec25361ffeda3aa44cc2ecaf875f99784c3 Mon Sep 17 00:00:00 2001
From: William Roberts <wroberts@tresys.com>
Date: Thu, 30 Jan 2014 09:10:28 -0800
Subject: [PATCH] assert: do not allow raw access to generic block_device

Rather then allowing open,read,write to raw block devices, one
should relabel it to something more specific.

vold should be re-worked so we can drop it from this assert.

Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf
---
 domain.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/domain.te b/domain.te
index 6d755a75c..13b977a9a 100644
--- a/domain.te
+++ b/domain.te
@@ -183,3 +183,7 @@ neverallow domain init:process ptrace;
 # Init can't receive binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
-- 
GitLab