assert: do not allow raw access to generic block_device Rather then allowing open,read,write to raw block devices, one should relabel it to something more specific. vold should be re-worked so we can drop it from this assert. Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf

commit: d0919ec25361ffeda3aa44cc2ecaf875f99784c3 [log] [tgz]
author: William Roberts <wroberts@tresys.com> Thu Jan 30 09:10:28 2014 -0800
committer: William Roberts <wroberts@tresys.com> Mon Feb 03 20:16:53 2014 +0000
tree: c382f974d965b1ceb4f7195e385ba1f03b99dd43
parent: b71dae828fea60bbc5cacefc4521dfd97f960868 [diff]
diff --git a/domain.te b/domain.te
index 6d755a7..13b977a 100644
--- a/domain.te
+++ b/domain.te

@@ -183,3 +183,7 @@
 # Init can't receive binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
commit	d0919ec25361ffeda3aa44cc2ecaf875f99784c3	[log] [tgz]
author	William Roberts <wroberts@tresys.com>	Thu Jan 30 09:10:28 2014 -0800
committer	William Roberts <wroberts@tresys.com>	Mon Feb 03 20:16:53 2014 +0000
tree	c382f974d965b1ceb4f7195e385ba1f03b99dd43
parent	b71dae828fea60bbc5cacefc4521dfd97f960868 [diff]