3171829af3
There are many character files that are unreachable to all processes under selinux policies. Ueventd and init were the only two domains that had access to these generic character files, but auditing proved there was no use for that access. In light of this, access is being completely revoked so that the device nodes can be removed, and a neverallow is being audited to prevent future regressions. Test: The device boots Bug: 33347297 Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
50 lines
2.2 KiB
Text
50 lines
2.2 KiB
Text
# ueventd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type ueventd, domain, domain_deprecated;
|
|
|
|
# Write to /dev/kmsg.
|
|
allow ueventd kmsg_device:chr_file rw_file_perms;
|
|
|
|
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
|
allow ueventd device:file create_file_perms;
|
|
|
|
r_dir_file(ueventd, sysfs_type)
|
|
r_dir_file(ueventd, rootfs)
|
|
allow ueventd sysfs:file w_file_perms;
|
|
allow ueventd sysfs_usb:file w_file_perms;
|
|
allow ueventd sysfs_hwrandom:file w_file_perms;
|
|
allow ueventd sysfs_zram_uevent:file w_file_perms;
|
|
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
|
|
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
|
|
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
|
|
allow ueventd tmpfs:chr_file rw_file_perms;
|
|
allow ueventd dev_type:dir create_dir_perms;
|
|
allow ueventd dev_type:lnk_file { create unlink };
|
|
allow ueventd dev_type:chr_file { getattr create setattr unlink };
|
|
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
|
|
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
allow ueventd efs_file:dir search;
|
|
allow ueventd efs_file:file r_file_perms;
|
|
|
|
# Get SELinux enforcing status.
|
|
r_dir_file(ueventd, selinuxfs)
|
|
|
|
# Use setfscreatecon() to label /dev directories and files.
|
|
allow ueventd self:process setfscreate;
|
|
|
|
#####
|
|
##### neverallow rules
|
|
#####
|
|
|
|
# ueventd must never set properties, otherwise deadlocks may occur.
|
|
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
|
|
# No writing to the property socket, connecting to init, or setting properties.
|
|
neverallow ueventd property_socket:sock_file write;
|
|
neverallow ueventd init:unix_stream_socket connectto;
|
|
neverallow ueventd property_type:property_service set;
|
|
|
|
# Restrict ueventd access on block devices to maintenence operations.
|
|
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
|
|
|
|
# Only relabelto as we would never want to relabelfrom kmem_device or port_device
|
|
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
|