From eb43e6548e1c23d9b47b98d6dd429f9887223dfa Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 10 Feb 2016 09:33:08 -0800
Subject: [PATCH] uncrypt: drop generic block_device allow rules

Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.

This is an overly broad grant. Commit a10f789d286d0f28c85488629cc92f5ab6ca8e00
started the process of deprecating "block_device" access in favor
of "misc_block_device".

This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.

Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55
---
 domain.te  | 2 +-
 uncrypt.te | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index b2117db1a..2922da683 100644
--- a/domain.te
+++ b/domain.te
@@ -238,7 +238,7 @@ neverallow * init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/uncrypt.te b/uncrypt.te
index 354bda004..9231a4dd3 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -26,8 +26,6 @@ set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
 allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
 
-- 
GitLab