Allow system_server access to hidraw devices. This allows AccessibilityManagerService in system_server to interact with a HID-supported Braille Display. Bug: 303522222 Test: ls -z /dev/hidraw0 Test: plat_file_contexts_test Test: Open FileInputStream and FileOutputStream on this device path from AccessibilityManagerService (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:67a63cc046769759aa43cf1653f11e57c55cd1db) Merged-In: I2982e907bd2a70c1e4e8161647d6efd65110b99c Change-Id: I2982e907bd2a70c1e4e8161647d6efd65110b99c

commit: 4245d0413b39d39c10a9fefb2244875421ceae5a [log] [tgz]
author: Daniel Norman <danielnorman@google.com> Thu Nov 30 23:28:04 2023 +0000
committer: Daniel Norman <danielnorman@google.com> Thu Nov 30 23:33:55 2023 +0000
tree: 74036d2aa31ba1e86f71540e00430e6b61fc30bb
parent: d3fe043eb89bf034084a2322fffd5d8232d1e79c [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -295,3 +295,6 @@
 # anon_inode usages like userfaultfd and io_uring. This prevents us from
 # creating a more fine-grained neverallow policy for each anon_inode usage.
 neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
commit	4245d0413b39d39c10a9fefb2244875421ceae5a	[log] [tgz]
author	Daniel Norman <danielnorman@google.com>	Thu Nov 30 23:28:04 2023 +0000
committer	Daniel Norman <danielnorman@google.com>	Thu Nov 30 23:33:55 2023 +0000
tree	74036d2aa31ba1e86f71540e00430e6b61fc30bb
parent	d3fe043eb89bf034084a2322fffd5d8232d1e79c [diff] [blame]