Address auditallow spam from init
Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.
In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.
Addresses various auditallow spam, including:
avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file
avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file
and others not covered above.
Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e
diff --git a/public/init.te b/public/init.te
index fe8cdbb..4d64aad 100644
--- a/public/init.te
+++ b/public/init.te
@@ -200,10 +200,24 @@
allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
auditallow init {
dev_type
- -kmem_device
- -port_device
+ -alarm_device
+ -ashmem_device
+ -binder_device
+ -console_device
-device
+ -devpts
+ -dm_device
+ -hwbinder_device
+ -hw_random_device
+ -keychord_device
+ -kmem_device
+ -kmsg_device
-null_device
+ -owntty_device
+ -port_device
+ -ptmx_device
+ -random_device
+ -zero_device
}:chr_file { read open };
# chown/chmod on devices.