tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Removing init and ueventd access to generic char files

Browse source 
am: 3171829af3

Change-Id: Ifef40c211276c8cdf576e10cb04753dcb150ad65
This commit is contained in:
Max Bires 2017-02-02 03:25:21 +00:00 committed by android-build-merger
commit 56ae32916c
3 changed files with 7 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
public/domain.te
View file

@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
neverallow { domain -init -ueventd } device:chr_file { open read write };
neverallow domain device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need

12
public/init.te
View file

@ -195,8 +195,13 @@ userdebug_or_eng(`
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
# chown/chmod on devices.
allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
allow init { dev_type -kmem_device -port_device }:chr_file setattr;
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
# only ever accessed by init.
allow init device:file create_file_perms;
# Access character devices without a specific type,
# TODO: Remove this access and auditallow (b/33347297)
allow init device:chr_file { rw_file_perms setattr };
auditallow init device:chr_file { rw_file_perms setattr };
# keychord configuration
allow init self:capability sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;

2
public/ueventd.te
View file

@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
auditallow ueventd device:chr_file rw_file_perms;
r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs)