commit 27bac3ea9ba1df029a606649266e2d9a6d9ee7fc
author Tri Vo <trong@google.com> Mon Mar 11 14:44:02 2019 -0700
committer Tri Vo <trong@google.com> Tue Mar 12 02:42:42 2019 +0000
tree 13ce05ffd0776df340a8fefb236d64e67ca91325
parent 7f481fe832214677d8b8eaeec35d77b248406558

cf: add missing labels for /dev/* files

Label /dev/input_events and /dev/socket_forward as input_events_device
and socket_forward_device respectively. And add appropriate permission
to domains using these /dev nodes.

Bug: 28053261
Test: boot cuttlefish without denials to /dev/* nodes
Change-Id: Ia05b890dd8fe126db74945bd300537d4c58edc5f

shared/sepolicy/device.te

diff --git a/shared/sepolicy/device.te b/shared/sepolicy/device.te
index 24c317f..7c7330c 100644
--- a/shared/sepolicy/device.te
+++ b/shared/sepolicy/device.te
@@ -1,4 +1,6 @@
 # Device types
+type input_events_device, dev_type;
+type socket_forward_device, dev_type;
 type region_e2e_test_device, dev_type;
+type region_screen_device, dev_type;
 type virtual_serial_device, dev_type;
-type region_screen_device, dev_type;
\ No newline at end of file

shared/sepolicy/file_contexts

diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index e8cdc1c..3a00066 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -1,13 +1,15 @@
 ##########################
 # Devices
 #
+/dev/block/zram0  u:object_r:swap_block_device:s0
 /dev/e2e_managed  u:object_r:region_e2e_test_device:s0
 /dev/e2e_manager  u:object_r:region_e2e_test_device:s0
 /dev/e2e_primary  u:object_r:region_e2e_test_device:s0
 /dev/e2e_secondary  u:object_r:region_e2e_test_device:s0
+/dev/input_events  u:object_r:input_events_device:s0
 /dev/screen  u:object_r:region_screen_device:s0
+/dev/socket_forward  u:object_r:socket_forward_device:s0
 /dev/vport[0-9]p[0-9]*  u:object_r:virtual_serial_device:s0
-/dev/block/zram0  u:object_r:swap_block_device:s0
 
 #############################
 # Root files

shared/sepolicy/socket_forward_proxy.te

diff --git a/shared/sepolicy/socket_forward_proxy.te b/shared/sepolicy/socket_forward_proxy.te
index 50f688d..e7b9f30 100644
--- a/shared/sepolicy/socket_forward_proxy.te
+++ b/shared/sepolicy/socket_forward_proxy.te
@@ -3,3 +3,4 @@
 
 init_daemon_domain(socket_forward_proxy)
 
+allow socket_forward_proxy socket_forward_device:chr_file r_file_perms;

shared/sepolicy/vendor_init.te

diff --git a/shared/sepolicy/vendor_init.te b/shared/sepolicy/vendor_init.te
new file mode 100644
index 0000000..4e4892f
--- /dev/null
+++ b/shared/sepolicy/vendor_init.te
@@ -0,0 +1,5 @@
+allow vendor_init {
+  audio_device
+  input_events_device
+  region_screen_device
+}:chr_file { getattr };

shared/sepolicy/vsoc_input_service.te

diff --git a/shared/sepolicy/vsoc_input_service.te b/shared/sepolicy/vsoc_input_service.te
index 5b7d41c..0ff170b 100644
--- a/shared/sepolicy/vsoc_input_service.te
+++ b/shared/sepolicy/vsoc_input_service.te
@@ -8,3 +8,5 @@
 
 # Framebuffer I/O (needed to obtain the screen size)
 allow vsoc_input_service region_screen_device:chr_file rw_file_perms;
+
+allow vsoc_input_service input_events_device:chr_file r_file_perms;