uncrypt: drop generic block_device allow rules

Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.

This is an overly broad grant. Commit a10f789d286d0f28c85488629cc92f5ab6ca8e00
started the process of deprecating "block_device" access in favor
of "misc_block_device".

This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.

Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55

2 files changed, 1 insertions, 3 deletions

diff --git a/domain.te b/domain.te
index b2117db..2922da6 100644
--- a/domain.te
+++ b/domain.te
@@ -238,7 +238,7 @@ neverallow * init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/uncrypt.te b/uncrypt.te
index 354bda0..9231a4d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -26,8 +26,6 @@ set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
 allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;