Neverallow access to the kmem device from userspace.

Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4

app.te

@@ -137,9 +137,6 @@ neverallow { appdomain -unconfineddomain } self:capability2 *;
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
-
 # Access to any character device that is not specifically typed.
 neverallow { appdomain -unconfineddomain } device:chr_file { read write };
 

domain.te

@@ -139,3 +139,7 @@ neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };

netd.te

@@ -64,9 +64,6 @@ allow netd device:sock_file write;
 # Block device access.
 neverallow netd dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow netd kmem_device:chr_file { read write };
-
 # Setting SELinux enforcing status or booleans.
 neverallow netd kernel:security { setenforce setbool };
 

unconfined.te

@@ -30,7 +30,7 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;