shell: remove /dev/input write access
Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.
Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.
Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.
Bug: 30861057
Test: auditallow statement added in
f617a404c2d3d43e1146a7237752aa1baab68918 hasn't triggered.
Test: ran getevent, saw correct output, played with device
Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
diff --git a/public/shell.te b/public/shell.te
index 6c93703..9569d97 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -47,11 +47,7 @@
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file rw_file_perms;
-# b/30861057: TODO: No shell write access to existing input devices
-userdebug_or_eng(`
- auditallow shell input_device:chr_file write;
-')
+allow shell input_device:chr_file r_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
@@ -238,3 +234,12 @@
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
+
+# b/30861057: Shell access to existing input devices is an abuse
+# vector. The shell user can inject events that look like they
+# originate from the touchscreen etc.
+# Everyone should have already moved to UiAutomation#injectInputEvent
+# if they are running instrumentation tests (i.e. CTS), Monkey for
+# their stress tests, and the input command (adb shell input ...) for
+# injecting swipes and things.
+neverallow shell input_device:chr_file no_w_file_perms;