Merge "Allow system_server access to hidraw devices." into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index d9767ed..54dc1f3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -150,6 +150,8 @@
/dev/gnss10 gnss_device
/dev/graphics graphics_device
/dev/graphics/test graphics_device
+/dev/hidraw0 hidraw_device
+/dev/hidraw1 hidraw_device
/dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device
/dev/input input_device
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -295,3 +295,6 @@
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ccaef76..2c9961d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -16,6 +16,7 @@
hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
+ hidraw_device
virtual_camera_service
ot_daemon_service
pm_archiving_enabled_prop
diff --git a/private/file_contexts b/private/file_contexts
index 32092da..3cfbaf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -127,6 +127,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
diff --git a/private/system_server.te b/private/system_server.te
index 8c26cc7..bab31ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -480,6 +480,8 @@
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 4a824c9..f842d33 100644
--- a/public/device.te
+++ b/public/device.te
@@ -64,6 +64,7 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
+type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node