From 1960215c4981f2d0a67e916fefaf48cc1314efe2 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 9 Oct 2017 20:39:34 -0700
Subject: [PATCH] Label system_server's dependencies in sysfs.

New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons

Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons

Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.

Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5
---
 private/compat/26.0/26.0.cil | 10 +++++++++-
 private/genfs_contexts       |  9 +++++++++
 private/system_server.te     | 14 +++++++++++---
 public/file.te               |  6 ++++++
 4 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 234588a2e..a791009c9 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -564,7 +564,15 @@
 (typeattributeset surfaceflinger_26_0 (surfaceflinger))
 (typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
 (typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs sysfs_dm))
+(typeattributeset sysfs_26_0
+  ( sysfs
+    sysfs_android_usb
+    sysfs_dm
+    sysfs_ipv4
+    sysfs_power
+    sysfs_rtc
+    sysfs_switch
+    sysfs_wakeup_reasons))
 (typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
 (typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 563da5d5c..2cc6f70db 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -60,18 +60,27 @@ genfscon cgroup / u:object_r:cgroup:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
+genfscon sysfs /class/rtc                         u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch                      u:object_r:sysfs_switch:s0
 genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb     u:object_r:sysfs_android_usb:s0
 genfscon sysfs /devices/virtual/block/dm-       u:object_r:sysfs_dm:s0
 genfscon sysfs /devices/virtual/block/zram0     u:object_r:sysfs_zram:s0
 genfscon sysfs /devices/virtual/block/zram1     u:object_r:sysfs_zram:s0
 genfscon sysfs /devices/virtual/block/zram0/uevent    u:object_r:sysfs_zram_uevent:s0
 genfscon sysfs /devices/virtual/block/zram1/uevent    u:object_r:sysfs_zram_uevent:s0
 genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
 genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
diff --git a/private/system_server.te b/private/system_server.te
index 8f9091d4e..260d6ce3a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -273,11 +273,20 @@ allow system_server mac_perms_file: file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
+
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
 allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_power:file rw_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 
@@ -683,7 +692,6 @@ r_dir_file(system_server, proc_pagetypeinfo)
 r_dir_file(system_server, proc_version)
 r_dir_file(system_server, proc_vmallocinfo)
 r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
 
 ### Rules needed when Light HAL runs inside system_server process.
 ### These rules should eventually be granted only when needed.
diff --git a/public/file.te b/public/file.te
index d79fb6044..435b85238 100644
--- a/public/file.te
+++ b/public/file.te
@@ -44,16 +44,22 @@ type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_dm, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
 type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
 type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
 type configfs, fs_type;
 # /sys/devices/system/cpu
-- 
GitLab