Skip to content
Snippets Groups Projects
Commit a5f41c38 authored by Max Bires's avatar Max Bires Committed by android-build-merger
Browse files

Auditing init and ueventd access to chr device files. am: 9e7a5b0a 

am: 845a8e80

Change-Id: Ida5c1667e23b991c803b6fe141e40fb510dc9746
parents d6af2cbd 845a8e80
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
private/file_contexts
+ 1
0
View file @ a5f41c38
...@@ -83,6 +83,7 @@ ...@@ -83,6 +83,7 @@
/dev/input(/.*) u:object_r:input_device:s0 /dev/input(/.*) u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0 /dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0 /dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
/dev/kmem u:object_r:kmem_device:s0 /dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0 /dev/log(/.*)? u:object_r:log_device:s0
/dev/mem u:object_r:kmem_device:s0 /dev/mem u:object_r:kmem_device:s0
......
public/device.te
+ 1
0
View file @ a5f41c38
...@@ -10,6 +10,7 @@ type hwbinder_device, dev_type, mlstrustedobject; ...@@ -10,6 +10,7 @@ type hwbinder_device, dev_type, mlstrustedobject;
type block_device, dev_type; type block_device, dev_type;
type camera_device, dev_type; type camera_device, dev_type;
type dm_device, dev_type; type dm_device, dev_type;
type keychord_device, dev_type;
type loop_device, dev_type; type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject; type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type; type radio_device, dev_type;
......
public/init.te
+ 3
3
View file @ a5f41c38
...@@ -308,13 +308,13 @@ allow init hw_random_device:chr_file r_file_perms; ...@@ -308,13 +308,13 @@ allow init hw_random_device:chr_file r_file_perms;
allow init device:file create_file_perms; allow init device:file create_file_perms;
# Access character devices without a specific type, # Access character devices without a specific type,
# e.g. /dev/keychord. # TODO: Remove this access and auditallow (b/33347297)
# TODO: Move these devices into their own type unless they
# are only ever accessed by init.
allow init device:chr_file { rw_file_perms setattr }; allow init device:chr_file { rw_file_perms setattr };
auditallow init device:chr_file { rw_file_perms setattr };
# keychord configuration # keychord configuration
allow init self:capability sys_tty_config; allow init self:capability sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity # Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms; allow init dm_device:chr_file rw_file_perms;
......
public/ueventd.te
+ 2
0
View file @ a5f41c38
...@@ -8,6 +8,8 @@ allow ueventd kmsg_device:chr_file rw_file_perms; ...@@ -8,6 +8,8 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms; allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms; allow ueventd device:chr_file rw_file_perms;
auditallow ueventd device:chr_file rw_file_perms;
r_dir_file(ueventd, sysfs_type) r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs) r_dir_file(ueventd, rootfs)
allow ueventd sysfs:file w_file_perms; allow ueventd sysfs:file w_file_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment