diff --git a/domain.te b/domain.te index 19de0c0af..7df8e6fb9 100644 --- a/domain.te +++ b/domain.te @@ -187,7 +187,13 @@ neverallow { } self:capability sys_ptrace; # Limit device node creation to these whitelisted domains. -neverallow { domain -kernel -init -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod; +neverallow { + domain + -kernel + -init + -ueventd + -vold +} self:capability mknod; # Limit raw I/O to these whitelisted domains. neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; diff --git a/healthd.te b/healthd.te index a1019ee92..cd5429be1 100644 --- a/healthd.te +++ b/healthd.te @@ -2,12 +2,10 @@ # it lives in the rootfs and has no unique file type. type healthd, domain; -write_klog(healthd) -# /dev/__null__ created by init prior to policy load, -# open fd inherited by healthd. -allow healthd tmpfs:chr_file { read write }; +# Write to /dev/kmsg +allow healthd kmsg_device:chr_file rw_file_perms; -allow healthd self:capability { net_admin mknod sys_tty_config }; +allow healthd self:capability { net_admin sys_tty_config }; wakelock_use(healthd) allow healthd self:netlink_kobject_uevent_socket create_socket_perms; binder_use(healthd) diff --git a/slideshow.te b/slideshow.te index 2b82b3e01..86d4bff2e 100644 --- a/slideshow.te +++ b/slideshow.te @@ -2,10 +2,10 @@ # it lives in the rootfs and has no unique file type. type slideshow, domain; -write_klog(slideshow) +allow slideshow kmsg_device:chr_file rw_file_perms; wakelock_use(slideshow) allow slideshow device:dir r_dir_perms; -allow slideshow self:capability { mknod sys_tty_config }; +allow slideshow self:capability sys_tty_config; allow slideshow graphics_device:dir r_dir_perms; allow slideshow graphics_device:chr_file rw_file_perms; allow slideshow input_device:dir r_dir_perms; diff --git a/te_macros b/te_macros index 408d9d5fe..100c734e5 100644 --- a/te_macros +++ b/te_macros @@ -274,17 +274,6 @@ define(`access_kmsg', ` allow $1 kernel:system syslog_read; ') -##################################### -# write_klog(domain) -# Ability to write to kernel log via -# klog_write() -# See system/core/libcutil/klog.c -define(`write_klog', ` -type_transition $1 device:chr_file klog_device "__kmsg__"; -allow $1 klog_device:chr_file { create open write unlink }; -allow $1 device:dir { write add_name remove_name }; -') - ##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. diff --git a/ueventd.te b/ueventd.te index 23c93ad85..f4884d703 100644 --- a/ueventd.te +++ b/ueventd.te @@ -2,7 +2,12 @@ # it lives in the rootfs and has no unique file type. type ueventd, domain; tmpfs_domain(ueventd) -write_klog(ueventd) + +# TODO: why is ueventd using __kmsg__ when it should just create +# and use /dev/kmsg instead? +type_transition ueventd device:chr_file klog_device "__kmsg__"; +allow ueventd klog_device:chr_file { create open write unlink }; + security_access_policy(ueventd) allow ueventd init:process sigchld; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; diff --git a/vold.te b/vold.te index 9ab00c711..49815c882 100644 --- a/vold.te +++ b/vold.te @@ -81,7 +81,7 @@ allow vold self:capability { sys_ptrace kill }; # XXX Label sysfs files with a specific type? allow vold sysfs:file rw_file_perms; -write_klog(vold) +allow vold kmsg_device:chr_file rw_file_perms; # Run fsck. allow vold fsck_exec:file rx_file_perms; diff --git a/watchdogd.te b/watchdogd.te index ab9356000..00292a9a9 100644 --- a/watchdogd.te +++ b/watchdogd.te @@ -1,9 +1,4 @@ # watchdogd seclabel is specified in init..rc type watchdogd, domain; -allow watchdogd self:capability mknod; -allow watchdogd device:dir { add_name write remove_name }; allow watchdogd watchdog_device:chr_file rw_file_perms; -# because of /dev/__kmsg__ and /dev/__null__ -write_klog(watchdogd) -type_transition watchdogd device:chr_file null_device "__null__"; -allow watchdogd null_device:chr_file { create unlink }; +allow watchdogd kmsg_device:chr_file rw_file_perms;