277a20ebec
The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
56 lines
2.3 KiB
Text
56 lines
2.3 KiB
Text
# ueventd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type ueventd, domain, domain_deprecated;
|
|
|
|
# Write to /dev/kmsg.
|
|
allow ueventd kmsg_device:chr_file rw_file_perms;
|
|
|
|
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
|
allow ueventd device:file create_file_perms;
|
|
|
|
r_dir_file(ueventd, sysfs_type)
|
|
r_dir_file(ueventd, rootfs)
|
|
allow ueventd sysfs:file w_file_perms;
|
|
allow ueventd sysfs_usb:file w_file_perms;
|
|
allow ueventd sysfs_hwrandom:file w_file_perms;
|
|
allow ueventd sysfs_zram_uevent:file w_file_perms;
|
|
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
|
|
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
|
|
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
|
|
allow ueventd tmpfs:chr_file rw_file_perms;
|
|
allow ueventd dev_type:dir create_dir_perms;
|
|
allow ueventd dev_type:lnk_file { create unlink };
|
|
allow ueventd dev_type:chr_file { getattr create setattr unlink };
|
|
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
|
|
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
allow ueventd efs_file:dir search;
|
|
allow ueventd efs_file:file r_file_perms;
|
|
|
|
# Get SELinux enforcing status.
|
|
r_dir_file(ueventd, selinuxfs)
|
|
|
|
# Access for /vendor/ueventd.rc and /vendor/firmware
|
|
r_dir_file(ueventd, vendor_file)
|
|
|
|
# Get file contexts for new device nodes
|
|
allow ueventd file_contexts_file:file r_file_perms;
|
|
|
|
# Use setfscreatecon() to label /dev directories and files.
|
|
allow ueventd self:process setfscreate;
|
|
|
|
#####
|
|
##### neverallow rules
|
|
#####
|
|
|
|
# ueventd must never set properties, otherwise deadlocks may occur.
|
|
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
|
|
# No writing to the property socket, connecting to init, or setting properties.
|
|
neverallow ueventd property_socket:sock_file write;
|
|
neverallow ueventd init:unix_stream_socket connectto;
|
|
neverallow ueventd property_type:property_service set;
|
|
|
|
# Restrict ueventd access on block devices to maintenence operations.
|
|
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
|
|
|
|
# Only relabelto as we would never want to relabelfrom kmem_device or port_device
|
|
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
|