PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
886b1f54db
android_system_sepolicy/public/ueventd.te
Harpreet \"Eli\" Sangha 0487fe0252 ueventd: allow using external firmware handlers 
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.

Bug: 138352500
Test: Manually via custom handlers (compiled binary + shell script).
Change-Id: Ib1330cd3b049e23ef066c6e08d3785b344d1feed
2019-08-15 11:34:07 +09:00

84 lines
3.2 KiB
Plaintext
Raw Blame History

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file w_file_perms;
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
recovery_only(`
allow ueventd rootfs:file { r_file_perms execute };
')
# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;
# ueventd loads modules in response to modalias events.
allow ueventd self:global_capability_class_set sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
# to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
#####
##### neverallow rules
#####
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
# ueventd should never execute a program without changing to another domain.
neverallow ueventd { file_type fs_type }:file execute_no_trans;
Reference in New Issue View Git Blame Copy Permalink