Merge changes from topic 'selinux-usermodehelper-rework'

* changes: create separate usermodehelper type for sysfs Revert "ueventd: Grant write access to all files in /sys"

Merge changes from topic 'selinux-usermodehelper-rework'
a8a739e0 · TreeHugger Robot · Android (Google) Code Review · cf376fd4 · ece21859 · a8a739e0
Commit a8a739e0 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -645,7 +645,7 @@
 (typeattributeset usbfs_26_0 (usbfs))
 (typeattributeset usb_service_26_0 (usb_service))
 (typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (usermodehelper))
+(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
 (typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
 (typeattributeset user_service_26_0 (user_service))
 (typeattributeset vcs_device_26_0 (vcs_device))

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -59,7 +59,7 @@ genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0

--- a/public/domain.te
+++ b/public/domain.te
@@ -317,6 +317,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append open read write };

 # No domain should be allowed to ptrace init.

--- a/public/file.te
+++ b/public/file.te
@@ -9,7 +9,8 @@ type proc_security, fs_type;
 type proc_drop_caches, fs_type;
 type proc_overcommit_memory, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
+type usermodehelper, fs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;

--- a/public/init.te
+++ b/public/init.te
@@ -252,7 +252,7 @@ allow init kernel:system syslog_mod;
 allow init self:capability2 syslog;

 # Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 allow init proc_security:file rw_file_perms;

 # Write to /proc/sys/kernel/panic_on_oops.

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -11,7 +11,7 @@ allow ueventd device:file create_file_perms;
 r_dir_file(ueventd, rootfs)

 # ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd { sysfs_type -usermodehelper }:file w_file_perms;
+allow ueventd sysfs_type:file w_file_perms;
 r_dir_file(ueventd, sysfs_type)
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };