From ff511cb5dba4f970f586a8e9e87d879f13b0bacd Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 7 Sep 2018 07:39:28 -0700
Subject: [PATCH] Disallow new untrusted_app access to /proc/tty/drivers

Access is deprecated for apps with targetSdkVersion=26+.

Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1
---
 private/app_neverallows.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 8c530308a..1c1deb02f 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,11 @@ full_treble_only(`
 
 # Untrusted apps are not allowed to find mediaextractor update service.
 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
-- 
GitLab