Skip to content
Snippets Groups Projects
Commit cd109d44 authored by William Roberts's avatar William Roberts Committed by William C Roberts
Browse files

ueventd: allow getattr on blk and chr types. 


The commit: d41ad551
fixes a race in coldboot. However, introduced a seperate
bug where existing character files were being relabeled.

The fix was to have ueventd ensure their was a delta between
the old and new labels and only then call lsetfilecon(). To
do this we call lgetfilecon() which calls lgetxattr(), this
requires getattr permissions.

This patch is void of any relabelfrom/to for ueventd on chr_file
as those can be added as they occur.

Bug: 29106809

Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
parent 38ac77e4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 2
1
View file @ cd109d44
...@@ -216,7 +216,7 @@ neverallow { ...@@ -216,7 +216,7 @@ neverallow {
-init -init
-kernel -kernel
-shell # For CTS and is restricted to getattr in shell.te -shell # For CTS and is restricted to getattr in shell.te
-ueventd -ueventd # Further restricted in ueventd.te
} kmem_device:chr_file *; } kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
...@@ -330,6 +330,7 @@ neverallow { ...@@ -330,6 +330,7 @@ neverallow {
-recovery -recovery
-system_server -system_server
-shell # Shell is further restricted in shell.te -shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file rw_file_perms; } frp_block_device:blk_file rw_file_perms;
# No domain other than recovery and update_engine can write to system partition(s). # No domain other than recovery and update_engine can write to system partition(s).
......
ueventd.te
+ 8
2
View file @ cd109d44
...@@ -20,8 +20,8 @@ allow ueventd sysfs_devices_system_cpu:file rw_file_perms; ...@@ -20,8 +20,8 @@ allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
allow ueventd tmpfs:chr_file rw_file_perms; allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms; allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { create setattr unlink }; allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink }; allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms; allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search; allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms; allow ueventd efs_file:file r_file_perms;
...@@ -39,3 +39,9 @@ allow ueventd self:process setfscreate; ...@@ -39,3 +39,9 @@ allow ueventd self:process setfscreate;
neverallow ueventd property_socket:sock_file write; neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto; neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set; neverallow ueventd property_type:property_service set;
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom kmem_device
neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment