Disallow /misc access except for a few domains.
The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.
Bug: 26470876
(cherry picked from commit 2c7a5f26b96dc35310727b8e63c18445778dbbaa)
Change-Id: I40c80fa62651a0135e1f07a5e07d2ef65ba04139
diff --git a/domain.te b/domain.te
index 8ff05a5..2b4f68c 100644
--- a/domain.te
+++ b/domain.te
@@ -351,6 +351,20 @@
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -init
+ -uncrypt
+ -update_engine
+ -vold
+ -recovery
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Only servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager } *:binder set_context_mgr;