init: lock down access to keychord_device The out-of-tree keychord driver is only intended for use by init. Test: build Bug: 64114943 Bug: 78174219 Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

commit: f14f73545552564c813da865533b1be29893131f [log] [tgz]
author: Mark Salyzyn <salyzyn@google.com> Tue Apr 17 10:55:41 2018 -0700
committer: Mark Salyzyn <salyzyn@google.com> Tue Apr 17 11:24:35 2018 -0700
tree: 073b121e3c696a569af368a65d76397c62727a33
parent: ced43bc823c43f75674786b352d36c775080a13e [diff]
diff --git a/public/domain.te b/public/domain.te
index 2856f2c..0e815b6 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -363,6 +363,14 @@
   -system_server
   -ueventd
 } hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+  domain
+  -init
+  -shell # stat of /dev, getattr only
+  -vendor_init
+  -ueventd
+} keychord_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
commit	f14f73545552564c813da865533b1be29893131f	[log] [tgz]
author	Mark Salyzyn <salyzyn@google.com>	Tue Apr 17 10:55:41 2018 -0700
committer	Mark Salyzyn <salyzyn@google.com>	Tue Apr 17 11:24:35 2018 -0700
tree	073b121e3c696a569af368a65d76397c62727a33
parent	ced43bc823c43f75674786b352d36c775080a13e [diff]