/dev/port does not seem to be used, adding in rules to confirm.
Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.
Test: The phone boots successfully
Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
diff --git a/private/file_contexts b/private/file_contexts
index 597c914..4719f10 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -85,6 +85,7 @@
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
diff --git a/public/device.te b/public/device.te
index f01dc66..93f3e88 100644
--- a/public/device.te
+++ b/public/device.te
@@ -27,6 +27,7 @@
type hw_random_device, dev_type;
type input_device, dev_type;
type kmem_device, dev_type;
+type port_device, dev_type;
type log_device, dev_type, mlstrustedobject;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index c78af07..30dbd7e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -268,13 +268,18 @@
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow {
domain
- -init
- -kernel
-shell # For CTS and is restricted to getattr in shell.te
-ueventd # Further restricted in ueventd.te
} kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
diff --git a/public/init.te b/public/init.te
index 235f70c..2e2e16c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
diff --git a/public/shell.te b/public/shell.te
index b00c9ef..591dabc 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -178,6 +178,7 @@
fuse_device
hw_random_device
kmem_device
+ port_device
}:chr_file ~getattr;
# Limit shell to only getattr on blk devices for host side tests.
diff --git a/public/ueventd.te b/public/ueventd.te
index 46787c4..3f1dcd4 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -46,5 +46,5 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device
-neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };