From ed0b4eb366d029d73918c573f5729967f31a7f93 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 2 Dec 2016 20:16:32 -0800
Subject: [PATCH] ueventd.te: auditallow device:chr_file

By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.

Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.

  $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
  allow init device:chr_file { setattr read lock getattr write ioctl open append };
  allow ueventd device:chr_file { read lock getattr write ioctl open append };

this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):

  neverallow { domain -init -ueventd } device:chr_file { open read write };

Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.

Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.

The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.

While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.

Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0
---
 public/domain.te  | 5 +++--
 public/ueventd.te | 5 +++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 30dbd7e73..c010d7923 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -299,8 +299,9 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+# uevent historically was granted access, but this does not appear used.
+# Tightening candidate?
+neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/public/ueventd.te b/public/ueventd.te
index 3f1dcd473..ce1cb37f1 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,7 +7,12 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
+
+# Read/write generically labeled /dev character device files.
+# TODO: this rule appears unnecessary. Delete?
 allow ueventd device:chr_file rw_file_perms;
+auditallow ueventd device:chr_file { read lock write ioctl open append };
+
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
 allow ueventd sysfs:file w_file_perms;
-- 
GitLab