neverallow ueventd to set properties
Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
This commit is contained in:
Nick Kralevich
parent
19eecd2dd7
commit
3e113edf02
1 changed files with 11 additions and 0 deletions
11
ueventd.te
11
ueventd.te
|
|
@ -23,3 +23,14 @@ allow ueventd efs_file:file r_file_perms;
|
|||
|
||||
# Use setfscreatecon() to label /dev directories and files.
|
||||
allow ueventd self:process setfscreate;
|
||||
|
||||
#####
|
||||
##### neverallow rules
|
||||
#####
|
||||
|
||||
# ueventd must never set properties, otherwise deadlocks may occur.
|
||||
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
|
||||
# No writing to the property socket, connecting to init, or setting properties.
|
||||
neverallow ueventd property_socket:sock_file write;
|
||||
neverallow ueventd init:unix_stream_socket connectto;
|
||||
neverallow ueventd property_type:property_service set;
|
||||
|
|
|
|||
Loading…
Reference in a new issue