Skip to content
Snippets Groups Projects
Commit 3171829a authored by Max Bires's avatar Max Bires
Browse files

Removing init and ueventd access to generic char files

There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c
parent 542a4626
No related branches found
No related tags found
No related merge requests found
...@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename; ...@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices. # Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type. # Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses. neverallow domain device:chr_file { open read write };
# ueventd is exempt from this, as it is managing these devices.
neverallow { domain -init -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags. # Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need # sdcard_type / vfat is exempt as a larger set of domains need
......
...@@ -195,8 +195,13 @@ userdebug_or_eng(` ...@@ -195,8 +195,13 @@ userdebug_or_eng(`
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
# chown/chmod on devices. # chown/chmod on devices.
allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr }; allow init { dev_type -kmem_device -port_device }:chr_file setattr;
# Unlabeled file access for upgrades from 4.2. # Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom }; allow init unlabeled:dir { create_dir_perms relabelfrom };
...@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms; ...@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
# only ever accessed by init. # only ever accessed by init.
allow init device:file create_file_perms; allow init device:file create_file_perms;
# Access character devices without a specific type,
# TODO: Remove this access and auditallow (b/33347297)
allow init device:chr_file { rw_file_perms setattr };
auditallow init device:chr_file { rw_file_perms setattr };
# keychord configuration # keychord configuration
allow init self:capability sys_tty_config; allow init self:capability sys_tty_config;
allow init keychord_device:chr_file rw_file_perms; allow init keychord_device:chr_file rw_file_perms;
......
...@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms; ...@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms; allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
auditallow ueventd device:chr_file rw_file_perms;
r_dir_file(ueventd, sysfs_type) r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs) r_dir_file(ueventd, rootfs)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment