Removing init and ueventd access to generic char files am: 3171829af3 am: 56ae32916c am: ec4eece92b
am: 62e4a2a715
Change-Id: I30c5b40fedfb3f9a9cab2633fc52d86442fdf709
This commit is contained in:
Max Bires
android-build-merger
commit
368f68c866
3 changed files with 7 additions and 11 deletions
|
|
@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
|
|||
|
||||
# Don't allow raw read/write/open access to generic devices.
|
||||
# Rather force a relabel to a more specific type.
|
||||
# init is exempt from this as there are character devices that only it uses.
|
||||
# ueventd is exempt from this, as it is managing these devices.
|
||||
neverallow { domain -init -ueventd } device:chr_file { open read write };
|
||||
neverallow domain device:chr_file { open read write };
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
|
|
|
|||
|
|
@ -195,8 +195,13 @@ userdebug_or_eng(`
|
|||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
||||
|
||||
# init should not be able to read or open generic devices
|
||||
# TODO: auditing to see if this can be deleted entirely
|
||||
allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
|
||||
auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
|
||||
|
||||
# chown/chmod on devices.
|
||||
allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
|
||||
allow init { dev_type -kmem_device -port_device }:chr_file setattr;
|
||||
|
||||
# Unlabeled file access for upgrades from 4.2.
|
||||
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
||||
|
|
@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
|
|||
# only ever accessed by init.
|
||||
allow init device:file create_file_perms;
|
||||
|
||||
# Access character devices without a specific type,
|
||||
# TODO: Remove this access and auditallow (b/33347297)
|
||||
allow init device:chr_file { rw_file_perms setattr };
|
||||
auditallow init device:chr_file { rw_file_perms setattr };
|
||||
|
||||
# keychord configuration
|
||||
allow init self:capability sys_tty_config;
|
||||
allow init keychord_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
|
|||
|
||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd device:file create_file_perms;
|
||||
allow ueventd device:chr_file rw_file_perms;
|
||||
auditallow ueventd device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(ueventd, sysfs_type)
|
||||
r_dir_file(ueventd, rootfs)
|
||||
|
|
|
|||
Loading…
Reference in a new issue