PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f54b3622c7
android_system_sepolicy/public/ueventd.te
Max Bires 3171829af3 Removing init and ueventd access to generic char files 
There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
2017-02-01 21:35:08 +00:00

51 lines
2.2 KiB
Plaintext
Raw Blame History

# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain, domain_deprecated;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs)
allow ueventd sysfs:file w_file_perms;
allow ueventd sysfs_usb:file w_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
#####
##### neverallow rules
#####
# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom kmem_device or port_device
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
Reference in New Issue View Git Blame Copy Permalink