relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets

Netlink uevent sockets are used by the kernel to inform userspace when certain events occur, for example, when new hardware is added or removed. This allows userspace to take some action based on those messages. Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets. Certain device specific app domains, such as system_app, may have a need to receive messages from this socket type. Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app. These sockets have been the source of rooting attacks in Android in the past, and it doesn't make sense to expose this to untrusted_apps. No new SELinux rules are introduced by this change. This is an adjustment of compile time assertions only. Bug: 17525863 Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967

relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets
642b8042 · Nick Kralevich · dd053a9b · 642b8042 · 642b8042
Commit 642b8042 authored 10 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -221,9 +221,13 @@ neverallow appdomain
        netlink_audit_socket
        netlink_ip6fw_socket
        netlink_dnrt_socket
-        netlink_kobject_uevent_socket
    } *;

+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain self:netlink_kobject_uevent_socket { write append };
+
 # Sockets under /dev/socket that are not specifically typed.
 neverallow appdomain socket_device:sock_file write;


--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,6 +81,9 @@ auditallow untrusted_app {
 ### neverallow rules
 ###

+# Receive or send uevent messages.
+neverallow untrusted_app self:netlink_kobject_uevent_socket *;
+
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;