Remove kmem_device selinux type.
kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.
CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233
VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2
Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b813..7906421 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
(type commontime_management_service)
(type full_device)
(type i2c_device)
+(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
(type mtd_device)
diff --git a/private/file_contexts b/private/file_contexts
index 282120c..9ef18e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
diff --git a/public/device.te b/public/device.te
index 36a060b..a4f7f01 100644
--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
-type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 0a47bc6..0843a22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
diff --git a/public/init.te b/public/init.te
index c2938ad..c06e538 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@
allow init {
dev_type
-keychord_device
- -kmem_device
-port_device
}:chr_file setattr;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
neverallow shell {
fuse_device
hw_random_device
- kmem_device
port_device
}:chr_file ~getattr;
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733..5ecd2a1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@
allow vendor_init {
dev_type
-keychord_device
- -kmem_device
-port_device
-lowpan_device
-hw_random_device