Skip to content
Snippets Groups Projects
Commit 3e113edf authored by Nick Kralevich's avatar Nick Kralevich
Browse files

neverallow ueventd to set properties 

Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
parent 19eecd2d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 11 additions and 0 deletions
ueventd.te
+ 11
0
View file @ 3e113edf
...@@ -23,3 +23,14 @@ allow ueventd efs_file:file r_file_perms; ...@@ -23,3 +23,14 @@ allow ueventd efs_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files. # Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate; allow ueventd self:process setfscreate;
#####
##### neverallow rules
#####
# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment