Wider neverallow rules for coredomain /dev access.
"iio_device", "radio_device" must not be accessed by coredomain on all
devices. And "tee_device" must not be accessed by coredomain on Treble
devices.
Bug: 110962171
Test: m selinux_policy
Test: mmma system/sepolicy
Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
diff --git a/private/coredomain.te b/private/coredomain.te
index 5650247..04f7a46 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,12 +169,12 @@
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
-# Following /dev nodes must not be directly accessed by coredomain after Treble,
-# but should instead be wrapped by HALs.
-full_treble_only(`
- neverallow coredomain {
- iio_device
- radio_device
- tee_device
- }:chr_file { open read append write ioctl };
-')
+# Following /dev nodes must not be directly accessed by coredomain, but should
+# instead be wrapped by HALs.
+neverallow coredomain {
+ iio_device
+ radio_device
+ # TODO(b/120243891): HAL permission to tee_device is included into coredomain
+ # on non-Treble devices.
+ full_treble_only(`tee_device')
+}:chr_file { open read append write ioctl };