From cd109d447336808426059a81cc6bfa781126ecf8 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 2 Jun 2016 15:06:02 -0700
Subject: [PATCH] ueventd: allow getattr on blk and chr types.

The commit: d41ad551189c1b7be26a1807980418858b2a132e
fixes a race in coldboot. However, introduced a seperate
bug where existing character files were being relabeled.

The fix was to have ueventd ensure their was a delta between
the old and new labels and only then call lsetfilecon(). To
do this we call lgetfilecon() which calls lgetxattr(), this
requires getattr permissions.

This patch is void of any relabelfrom/to for ueventd on chr_file
as those can be added as they occur.

Bug: 29106809

Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te  |  3 ++-
 ueventd.te | 10 ++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index 90103fa60..4ecca7e06 100644
--- a/domain.te
+++ b/domain.te
@@ -216,7 +216,7 @@ neverallow {
   -init
   -kernel
   -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd
+  -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
@@ -330,6 +330,7 @@ neverallow {
   -recovery
   -system_server
   -shell # Shell is further restricted in shell.te
+  -ueventd # Further restricted in ueventd.te
 } frp_block_device:blk_file rw_file_perms;
 
 # No domain other than recovery and update_engine can write to system partition(s).
diff --git a/ueventd.te b/ueventd.te
index 3c4ba20b8..ec7e9a1ac 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -20,8 +20,8 @@ allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
@@ -39,3 +39,9 @@ allow ueventd self:process setfscreate;
 neverallow ueventd property_socket:sock_file write;
 neverallow ueventd init:unix_stream_socket connectto;
 neverallow ueventd property_type:property_service set;
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom kmem_device
+neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
-- 
GitLab