platform_system_sepolicy/public/ueventd.te

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;

# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;

allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;

r_dir_file(ueventd, rootfs)

# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file w_file_perms;
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;

# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)

# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })

# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;

# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;

# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;

# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
recovery_only(`
  allow ueventd rootfs:file { r_file_perms execute };
')

# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;

#####
##### neverallow rules
#####

# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;

# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

# Only relabelto as we would never want to relabelfrom kmem_device or port_device
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
SE Android policy. 2012-01-04 18:33:27 +01:00			`# ueventd seclabel is specified in init.rc since`
			`# it lives in the rootfs and has no unique file type.`
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b 2017-05-15 22:19:03 +02:00			`type ueventd, domain;`
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534 2015-06-06 16:42:37 +02:00
Simplify /dev/kmsg SELinux policy. Bug: http://b/30317429 Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee Test: adb shell dmesg \| grep ueventd 2016-07-26 18:46:20 +02:00			`# Write to /dev/kmsg.`
			`allow ueventd kmsg_device:chr_file rw_file_perms;`
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534 2015-06-06 16:42:37 +02:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };`
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 21:36:11 +02:00			`allow ueventd device:file create_file_perms;`
Auditing init and ueventd access to chr device files. It seems likely that there is no reason to keep around a number of devices that are configured to be included into the pixel kernels. Init and ueventd should be the only processes with r/w access to these devices, so auditallow rules have been added to ensure that they aren't actually used. /dev/keychord was given its own type since it's one of the few character devices that's actually legitimately used and would cause log spam in the auditallow otherwise. Bug: 33347297 Test: The phone boots without any apparent log spam. Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb 2017-01-09 23:57:03 +01:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(ueventd, rootfs)`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00
			`# ueventd needs write access to files in /sys to regenerate uevents`
			`allow ueventd sysfs_type:file w_file_perms;`
			`r_dir_file(ueventd, sysfs_type)`
			`allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };`
			`allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };`
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 21:36:11 +02:00			`allow ueventd tmpfs:chr_file rw_file_perms;`
			`allow ueventd dev_type:dir create_dir_perms;`
			`allow ueventd dev_type:lnk_file { create unlink };`
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com> 2016-06-03 00:06:02 +02:00			`allow ueventd dev_type:chr_file { getattr create setattr unlink };`
			`allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;`
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 21:36:11 +02:00			`allow ueventd efs_file:dir search;`
			`allow ueventd efs_file:file r_file_perms;`
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 17:26:19 +02:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`# Get SELinux enforcing status.`
			`r_dir_file(ueventd, selinuxfs)`

sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-02 02:17:12 +02:00			`# Access for /vendor/ueventd.rc and /vendor/firmware`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })`
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-02 02:17:12 +02:00
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-03-24 23:02:13 +01:00			`# Get file contexts for new device nodes`
			`allow ueventd file_contexts_file:file r_file_perms;`

Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 17:26:19 +02:00			`# Use setfscreatecon() to label /dev directories and files.`
			`allow ueventd self:process setfscreate;`
neverallow ueventd to set properties Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32 2015-03-03 05:10:48 +01:00
ueventd: allow reading kernel cmdline This is needed when ueventd needs to read device tree files (/proc/device-tree). Prior to acccess, it tries to read "androidboot.android_dt_dir" from kernel cmdline for a custom Android DT path. Bug: 78613232 Test: boot a device without unknown SELinux denials Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574 2018-05-17 12:28:33 +02:00			`# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.`
			`allow ueventd proc_cmdline:file r_file_perms;`

init is a dynamic executable init is now a dynamic executable. So it has to be able to execute the dynamic linker (/system/bin/linker) and shared libraries (e.g., /system/lib/libc.so). Furthermore, when in recovery mode, the files are all labeled as rootfs - because the recovery ramdisk does not support xattr, so files of type rootfs is allowed to be executed. Do the same for kernel and ueventd because they are executing the init executable. Bug: 63673171 Test: `adb reboot recovery; adb devices` shows the device ID Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396 2018-06-01 12:28:59 +02:00			`# Everything is labeled as rootfs in recovery mode. ueventd has to execute`
			`# the dynamic linker and shared libraries.`
			recovery_only(`
			`allow ueventd rootfs:file { r_file_perms execute };`
			`')`

Suppress denial for ueventd to getattr From now on, linker will resolve dir.${section} paths of ld.config.txt. This is added to suppress SELinux denial during resolving /postinstall. Bug: http://b/80422611 Test: on taimen m -j, logcat \| grep denied, atest on bionic/linker/tests Change-Id: I12c2bb76d71ae84055b5026933dcaa6ef2808590 2018-06-19 03:34:15 +02:00			`# Suppress denials for ueventd to getattr /postinstall. This occurs when the`
			`# linker tries to resolve paths in ld.config.txt.`
			`dontaudit ueventd postinstall_mnt_dir:dir getattr;`

neverallow ueventd to set properties Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32 2015-03-03 05:10:48 +01:00			`#####`
			`##### neverallow rules`
			`#####`

			`# ueventd must never set properties, otherwise deadlocks may occur.`
			`# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941`
			`# No writing to the property socket, connecting to init, or setting properties.`
			`neverallow ueventd property_socket:sock_file write;`
			`neverallow ueventd init:unix_stream_socket connectto;`
			`neverallow ueventd property_type:property_service set;`
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com> 2016-06-03 00:06:02 +02:00
			`# Restrict ueventd access on block devices to maintenence operations.`
			`neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };`

/dev/port does not seem to be used, adding in rules to confirm. Only init and ueventd have any access to /dev/port, and neither should have any use for it. As it stands, leaving port in just represents additional attack surface with no useful functionality, so it should be removed if possible, not only from Pixel devices, but from all Android devices. Test: The phone boots successfully Bug:33301618 Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f 2016-12-05 00:11:29 +01:00			`# Only relabelto as we would never want to relabelfrom kmem_device or port_device`
			`neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };`