appdomain: neverallow direct input_device access Applications should not access /dev/input/* for events, but rather use events handled via the activity mechanism. Change-Id: I0182b6be1b7c69d96e4366ba59f14cee67be4beb Signed-off-by: William Roberts <william.c.roberts@intel.com>

commit: e83b9f037c47f004391a8c947303a48548f79838 [log] [tgz]
author: William Roberts <william.c.roberts@intel.com> Fri Jul 01 10:36:38 2016 -0400
committer: William C Roberts <william.c.roberts@intel.com> Tue Jul 26 20:04:29 2016 +0000
tree: 2bf4b8f74d19d5a54fc2d3cd6b32e878d3cf3492
parent: 362d6ff1b881fafa044b4cbc4428a4cc4caa1938 [diff]
diff --git a/app.te b/app.te
index 70b1c94..f166caa 100644
--- a/app.te
+++ b/app.te

@@ -405,3 +405,9 @@
   system_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+  appdomain
+  -shell # bugreport
+} input_device:chr_file ~getattr;
commit	e83b9f037c47f004391a8c947303a48548f79838	[log] [tgz]
author	William Roberts <william.c.roberts@intel.com>	Fri Jul 01 10:36:38 2016 -0400
committer	William C Roberts <william.c.roberts@intel.com>	Tue Jul 26 20:04:29 2016 +0000
tree	2bf4b8f74d19d5a54fc2d3cd6b32e878d3cf3492
parent	362d6ff1b881fafa044b4cbc4428a4cc4caa1938 [diff]