platform_system_sepolicy/public/ueventd.te
Inseob Kim 55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00

79 lines
3 KiB
Text

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file w_file_perms;
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
recovery_only(`
allow ueventd rootfs:file { r_file_perms execute };
')
# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;
# ueventd loads modules in response to modalias events.
allow ueventd self:global_capability_class_set sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
#####
##### neverallow rules
#####
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
# ueventd should never execute a program without changing to another domain.
neverallow ueventd { file_type fs_type }:file execute_no_trans;