From 31d88a704ecd16d67633ee8d46370b282c67bfbc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 6 Jun 2015 07:42:37 -0700
Subject: [PATCH] Allow /dev/klog access, drop mknod and __null__ access

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972c13a2aa3f930f5c39d81d41177387bf0)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
---
 domain.te    |  8 +++++++-
 healthd.te   |  8 +++-----
 slideshow.te |  4 ++--
 te_macros    | 11 -----------
 ueventd.te   |  7 ++++++-
 vold.te      |  2 +-
 watchdogd.te |  7 +------
 7 files changed, 20 insertions(+), 27 deletions(-)

diff --git a/domain.te b/domain.te
index 73043f57e..a1a782be7 100644
--- a/domain.te
+++ b/domain.te
@@ -187,7 +187,13 @@ neverallow {
 } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
+neverallow {
+  domain
+  -kernel
+  -init
+  -ueventd
+  -vold
+} self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
diff --git a/healthd.te b/healthd.te
index a1019ee92..cd5429be1 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,12 +2,10 @@
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
 
-write_klog(healthd)
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by healthd.
-allow healthd tmpfs:chr_file { read write };
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
 
-allow healthd self:capability { net_admin mknod sys_tty_config };
+allow healthd self:capability { net_admin sys_tty_config };
 wakelock_use(healthd)
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
 binder_use(healthd)
diff --git a/slideshow.te b/slideshow.te
index 2b82b3e01..86d4bff2e 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -2,10 +2,10 @@
 # it lives in the rootfs and has no unique file type.
 type slideshow, domain;
 
-write_klog(slideshow)
+allow slideshow kmsg_device:chr_file rw_file_perms;
 wakelock_use(slideshow)
 allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow self:capability sys_tty_config;
 allow slideshow graphics_device:dir r_dir_perms;
 allow slideshow graphics_device:chr_file rw_file_perms;
 allow slideshow input_device:dir r_dir_perms;
diff --git a/te_macros b/te_macros
index a76bb5df3..99a9411e4 100644
--- a/te_macros
+++ b/te_macros
@@ -281,17 +281,6 @@ define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
 
-#####################################
-# write_klog(domain)
-# Ability to write to kernel log via
-# klog_write()
-# See system/core/libcutil/klog.c
-define(`write_klog', `
-type_transition $1 device:chr_file klog_device "__kmsg__";
-allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { write add_name remove_name };
-')
-
 #####################################
 # create_pty(domain)
 # Allow domain to create and use a pty, isolated from any other domain ptys.
diff --git a/ueventd.te b/ueventd.te
index 23c93ad85..f4884d703 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,12 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-write_klog(ueventd)
+
+# TODO: why is ueventd using __kmsg__ when it should just create
+# and use /dev/kmsg instead?
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+allow ueventd klog_device:chr_file { create open write unlink };
+
 security_access_policy(ueventd)
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 4ee45b91d..a1aef72fd 100644
--- a/vold.te
+++ b/vold.te
@@ -81,7 +81,7 @@ allow vold self:capability { sys_ptrace kill };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
-write_klog(vold)
+allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck.
 allow vold fsck_exec:file rx_file_perms;
diff --git a/watchdogd.te b/watchdogd.te
index ab9356000..00292a9a9 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,9 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
 allow watchdogd watchdog_device:chr_file rw_file_perms;
-# because of /dev/__kmsg__ and /dev/__null__
-write_klog(watchdogd)
-type_transition watchdogd device:chr_file null_device "__null__";
-allow watchdogd null_device:chr_file { create unlink };
+allow watchdogd kmsg_device:chr_file rw_file_perms;
-- 
GitLab