android_system_sepolicy/ueventd.te

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain, domain_deprecated;
tmpfs_domain(ueventd)

# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;

allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs)
allow ueventd sysfs:file w_file_perms;
allow ueventd sysfs_usb:file w_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;

# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)

# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;

#####
##### neverallow rules
#####

# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;

# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

# Only relabelto as we would never want to relabelfrom kmem_device
neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
SE Android policy. 2012-01-04 09:33:27 -08:00			`# ueventd seclabel is specified in init.rc since`
			`# it lives in the rootfs and has no unique file type.`
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c 2015-11-03 09:54:39 -08:00			`type ueventd, domain, domain_deprecated;`
SE Android policy. 2012-01-04 09:33:27 -08:00			`tmpfs_domain(ueventd)`
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534 2015-06-06 07:42:37 -07:00
Simplify /dev/kmsg SELinux policy. Bug: http://b/30317429 Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee Test: adb shell dmesg \| grep ueventd 2016-07-26 09:46:20 -07:00			`# Write to /dev/kmsg.`
			`allow ueventd kmsg_device:chr_file rw_file_perms;`
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534 2015-06-06 07:42:37 -07:00
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 12:36:11 -07:00			`allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };`
			`allow ueventd device:file create_file_perms;`
			`allow ueventd device:chr_file rw_file_perms;`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-09 16:27:17 -07:00			`r_dir_file(ueventd, sysfs_type)`
			`r_dir_file(ueventd, rootfs)`
			`allow ueventd sysfs:file w_file_perms;`
			`allow ueventd sysfs_usb:file w_file_perms;`
Create sysfs_hwrandom type. HwRngTest needs access to the hwrandom sysfs files, but untrused_app does not have access to sysfs. Give these files their own label and allow the needed read access. (cherry-pick from internal commit: 85c0f8affa4d3aa3c50331e272327e360eb8bed9) Bug: 27263241 Change-Id: If572ad0931a534d76e148b688b76687460e99af9 2016-03-11 15:23:49 -08:00			`allow ueventd sysfs_hwrandom:file w_file_perms;`
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158 2016-01-04 14:23:23 -08:00			`allow ueventd sysfs_zram_uevent:file w_file_perms;`
allow ueventd sysfs_type lnk_file ueventd is allowed to change files and directories in /sys, but not symbolic links. This is, at a minimum, causing the following denial: type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file Allow ueventd to modify labeling / attributes of symlinks. Change-Id: If641a218e07ef479d1283f3171b2743f3956386d 2014-07-09 23:07:10 -07:00			`allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };`
ueventd: Add policy support for ueventd labeling changes Currently, ueventd only modifies the SELinux label on a file if the entry exists in /ueventd.rc. Add policy support to enable an independent restorecon_recursive whenever a uevent message occurs. Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac 2014-07-03 16:10:01 -07:00			`allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };`
Add sysfs_type attribute to sysfs, coalesce ueventd rules. As per the discussion in: https://android-review.googlesource.com/#/c/92903/ Add sysfs_type attribute to sysfs type so that it is included in rules on sysfs_type, allow setattr to all sysfs_type for ueventd for chown/chmod, and get rid of redundant rules. Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-08 10:18:52 -07:00			`allow ueventd sysfs_devices_system_cpu:file rw_file_perms;`
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 12:36:11 -07:00			`allow ueventd tmpfs:chr_file rw_file_perms;`
			`allow ueventd dev_type:dir create_dir_perms;`
			`allow ueventd dev_type:lnk_file { create unlink };`
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com> 2016-06-02 15:06:02 -07:00			`allow ueventd dev_type:chr_file { getattr create setattr unlink };`
			`allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };`
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 12:06:11 -08:00			`allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;`
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b 2013-10-06 12:36:11 -07:00			`allow ueventd efs_file:dir search;`
			`allow ueventd efs_file:file r_file_perms;`
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 08:26:19 -07:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-09 16:27:17 -07:00			`# Get SELinux enforcing status.`
			`r_dir_file(ueventd, selinuxfs)`

Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 08:26:19 -07:00			`# Use setfscreatecon() to label /dev directories and files.`
			`allow ueventd self:process setfscreate;`
neverallow ueventd to set properties Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32 2015-03-02 20:10:48 -08:00
			`#####`
			`##### neverallow rules`
			`#####`

			`# ueventd must never set properties, otherwise deadlocks may occur.`
			`# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941`
			`# No writing to the property socket, connecting to init, or setting properties.`
			`neverallow ueventd property_socket:sock_file write;`
			`neverallow ueventd init:unix_stream_socket connectto;`
			`neverallow ueventd property_type:property_service set;`
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com> 2016-06-02 15:06:02 -07:00
			`# Restrict ueventd access on block devices to maintenence operations.`
			`neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };`

			`# Only relabelto as we would never want to relabelfrom kmem_device`
			`neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };`