2012-01-04 09:33:27 -08:00
|
|
|
# ueventd seclabel is specified in init.rc since
|
|
|
|
# it lives in the rootfs and has no unique file type.
|
2015-11-03 09:54:39 -08:00
|
|
|
type ueventd, domain, domain_deprecated;
|
2012-01-04 09:33:27 -08:00
|
|
|
tmpfs_domain(ueventd)
|
Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-06 07:42:37 -07:00
|
|
|
|
2016-07-26 09:46:20 -07:00
|
|
|
# Write to /dev/kmsg.
|
|
|
|
allow ueventd kmsg_device:chr_file rw_file_perms;
|
Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-06 07:42:37 -07:00
|
|
|
|
2013-10-06 12:36:11 -07:00
|
|
|
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
|
|
|
allow ueventd device:file create_file_perms;
|
|
|
|
allow ueventd device:chr_file rw_file_perms;
|
2016-09-09 16:27:17 -07:00
|
|
|
r_dir_file(ueventd, sysfs_type)
|
|
|
|
r_dir_file(ueventd, rootfs)
|
|
|
|
allow ueventd sysfs:file w_file_perms;
|
|
|
|
allow ueventd sysfs_usb:file w_file_perms;
|
2016-03-11 15:23:49 -08:00
|
|
|
allow ueventd sysfs_hwrandom:file w_file_perms;
|
2016-01-04 14:23:23 -08:00
|
|
|
allow ueventd sysfs_zram_uevent:file w_file_perms;
|
2014-07-09 23:07:10 -07:00
|
|
|
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
|
2014-07-03 16:10:01 -07:00
|
|
|
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
|
2014-05-08 10:18:52 -07:00
|
|
|
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
|
2013-10-06 12:36:11 -07:00
|
|
|
allow ueventd tmpfs:chr_file rw_file_perms;
|
|
|
|
allow ueventd dev_type:dir create_dir_perms;
|
|
|
|
allow ueventd dev_type:lnk_file { create unlink };
|
2016-06-02 15:06:02 -07:00
|
|
|
allow ueventd dev_type:chr_file { getattr create setattr unlink };
|
|
|
|
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
|
2014-02-24 12:06:11 -08:00
|
|
|
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
|
2013-10-06 12:36:11 -07:00
|
|
|
allow ueventd efs_file:dir search;
|
|
|
|
allow ueventd efs_file:file r_file_perms;
|
2014-05-23 08:26:19 -07:00
|
|
|
|
2016-09-09 16:27:17 -07:00
|
|
|
# Get SELinux enforcing status.
|
|
|
|
r_dir_file(ueventd, selinuxfs)
|
|
|
|
|
2014-05-23 08:26:19 -07:00
|
|
|
# Use setfscreatecon() to label /dev directories and files.
|
|
|
|
allow ueventd self:process setfscreate;
|
2015-03-02 20:10:48 -08:00
|
|
|
|
|
|
|
#####
|
|
|
|
##### neverallow rules
|
|
|
|
#####
|
|
|
|
|
|
|
|
# ueventd must never set properties, otherwise deadlocks may occur.
|
|
|
|
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
|
|
|
|
# No writing to the property socket, connecting to init, or setting properties.
|
|
|
|
neverallow ueventd property_socket:sock_file write;
|
|
|
|
neverallow ueventd init:unix_stream_socket connectto;
|
|
|
|
neverallow ueventd property_type:property_service set;
|
2016-06-02 15:06:02 -07:00
|
|
|
|
|
|
|
# Restrict ueventd access on block devices to maintenence operations.
|
|
|
|
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
|
|
|
|
|
|
|
|
# Only relabelto as we would never want to relabelfrom kmem_device
|
|
|
|
neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
|