ueventd.te: auditallow device:chr_file

By default, files created in /dev are labeled with the "device" label unless a different label has been assigned. The direct use of this generic label is discouraged (and in many cases neverallowed) because rules involving this label tend to be overly broad and permissive. Today, generically labeled character devices can only be opened, read, or written to by init and ueventd. $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy allow init device:chr_file { setattr read lock getattr write ioctl open append }; allow ueventd device:chr_file { read lock getattr write ioctl open append }; this is enforced by the following SELinux neverallow rule (compile time assertion + CTS test): neverallow { domain -init -ueventd } device:chr_file { open read write }; Start auditallowing ueventd access to /dev character device files with the default SELinux label. This doesn't appear to be used, but let's prove it. While ueventd is expected to create files in /dev, it has no need to open most of the files it creates. Note, however, that because ueventd has mknod + setfscreate permissions, a malicious or compromised ueventd can always create a device node under an incorrect label, and gain access that way. The goal of this change is to prove that no process other than init are accessing generically labeled files in /dev. While I'm here, tighten up the compile time assertion for device:chr_file to include more permissions. Test: policy compiles + device boots with no granted messages. Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0

ueventd.te: auditallow device:chr_file
ed0b4eb3 · Nick Kralevich · a24d7f53 · ed0b4eb3 · ed0b4eb3
Commit ed0b4eb3 authored 8 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -299,8 +299,9 @@ neverallow { domain -kernel -init -recovery } block_device:blk_file { open read
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+# uevent historically was granted access, but this does not appear used.
+# Tightening candidate?
+neverallow { domain -init -ueventd } device:chr_file no_rw_file_perms;

 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,7 +7,12 @@ allow ueventd kmsg_device:chr_file rw_file_perms;

 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
+
+# Read/write generically labeled /dev character device files.
+# TODO: this rule appears unnecessary. Delete?
 allow ueventd device:chr_file rw_file_perms;
+auditallow ueventd device:chr_file { read lock write ioctl open append };
+
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
 allow ueventd sysfs:file w_file_perms;