ueventd.te: auditallow device:chr_file
By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.
Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.
$ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
allow init device:chr_file { setattr read lock getattr write ioctl open append };
allow ueventd device:chr_file { read lock getattr write ioctl open append };
this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):
neverallow { domain -init -ueventd } device:chr_file { open read write };
Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.
Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.
The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.
While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.
Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
This commit is contained in:
Nick Kralevich
parent
a24d7f5392
commit
ed0b4eb366
2 changed files with 8 additions and 2 deletions
|
|
@ -299,8 +299,9 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
|
|||
# Don't allow raw read/write/open access to generic devices.
|
||||
# Rather force a relabel to a more specific type.
|
||||
# init is exempt from this as there are character devices that only it uses.
|
||||
# ueventd is exempt from this, as it is managing these devices.
|
||||
neverallow { domain -init -ueventd } device:chr_file { open read write };
|
||||
# uevent historically was granted access, but this does not appear used.
|
||||
# Tightening candidate?
|
||||
neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
|
|
|
|||
|
|
@ -7,7 +7,12 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
|
|||
|
||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd device:file create_file_perms;
|
||||
|
||||
# Read/write generically labeled /dev character device files.
|
||||
# TODO: this rule appears unnecessary. Delete?
|
||||
allow ueventd device:chr_file rw_file_perms;
|
||||
auditallow ueventd device:chr_file { read lock write ioctl open append };
|
||||
|
||||
r_dir_file(ueventd, sysfs_type)
|
||||
r_dir_file(ueventd, rootfs)
|
||||
allow ueventd sysfs:file w_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue