commit b54e2b7bb3469c4bbae939bddb52c09758332fb8
author Treehugger Robot <treehugger-gerrit@google.com> Wed Aug 29 14:40:32 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Aug 29 14:40:32 2018 +0000
tree 57f2ea4a545f402c03e2855cc09cf491911afa6a
parent efb6667a2c8a7b8e521396abe5dcc062599fb554
parent 0722b5aab6c54bdb3e481048ab2bd8c47679b7a1

Merge "init: drop /dev/keychord access"

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index c8b0bc1..5e43db9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -366,9 +366,7 @@
 # b/78174219 b/64114943
 neverallow {
   domain
-  -init
   -shell # stat of /dev, getattr only
-  -vendor_init
   -ueventd
 } keychord_device:chr_file *;
 

public/init.te

diff --git a/public/init.te b/public/init.te
index 5db0ab3..d3a3b1f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -234,6 +234,7 @@
 allow init {
   fs_type
   -contextmount_type
+  -keychord_device
   -proc_type
   -sdcard_type
   -sysfs_type
@@ -245,11 +246,12 @@
 # TODO: auditing to see if this can be deleted entirely
 allow init {
   dev_type
+  -keychord_device
   -kmem_device
   -port_device
   -device
   -vndbinder_device
-  }:chr_file { read open };
+}:chr_file { read open };
 auditallow init {
   dev_type
   -alarm_device
@@ -262,7 +264,6 @@
   -hwbinder_device
   -hw_random_device
   -input_device
-  -keychord_device
   -kmem_device
   -kmsg_device
   -null_device
@@ -274,7 +275,12 @@
 }:chr_file { read open };
 
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file setattr;
+allow init {
+  dev_type
+  -keychord_device
+  -kmem_device
+  -port_device
+}:chr_file setattr;
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -464,9 +470,7 @@
 # only ever accessed by init.
 allow init device:file create_file_perms;
 
-# keychord configuration
-allow init self:global_capability_class_set sys_tty_config;
-allow init keychord_device:chr_file rw_file_perms;
+# keychord retrieval from /dev/input/ devices
 allow init input_device:dir r_dir_perms;
 allow init input_device:chr_file rw_file_perms;
 

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index f55b3e8..19d906b 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -99,6 +99,7 @@
 allow vendor_init {
   fs_type
   -contextmount_type
+  -keychord_device
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
@@ -119,6 +120,7 @@
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
+  -keychord_device
   -kmem_device
   -port_device
   -lowpan_device