platform_system_sepolicy/public/ueventd.te
David Anderson e09c0eee36 Allow ueventd to access device-mapper.
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.

Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
2023-05-17 11:07:19 -07:00

86 lines
3.2 KiB
Text

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file w_file_perms;
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
# Access for /apex/*/firmware
allow ueventd apex_mnt_dir:dir r_dir_perms;
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file r_file_perms;
allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
recovery_only(`
allow ueventd rootfs:file { r_file_perms execute };
')
# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;
# ueventd loads modules in response to modalias events.
allow ueventd self:global_capability_class_set sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
# Query device-mapper to extract name/uuid in response to uevents.
allow ueventd dm_device:chr_file rw_file_perms;
allow ueventd self:capability sys_admin;
#####
##### neverallow rules
#####
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
# ueventd should never execute a program without changing to another domain.
neverallow ueventd { file_type fs_type }:file execute_no_trans;