Broke the dragon build:
libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
This reverts commit ed0b4eb366.
Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.
Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.
$ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
allow init device:chr_file { setattr read lock getattr write ioctl open append };
allow ueventd device:chr_file { read lock getattr write ioctl open append };
this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):
neverallow { domain -init -ueventd } device:chr_file { open read write };
Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.
Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.
The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.
While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.
Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.
Test: The phone boots successfully
Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
