# ueventd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type ueventd, domain; type ueventd_tmpfs, file_type; # Write to /dev/kmsg. allow ueventd kmsg_device:chr_file rw_file_perms; allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; allow ueventd device:file create_file_perms; r_dir_file(ueventd, rootfs) # ueventd needs write access to files in /sys to regenerate uevents allow ueventd sysfs_type:file w_file_perms; r_dir_file(ueventd, sysfs_type) allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; allow ueventd tmpfs:chr_file rw_file_perms; allow ueventd dev_type:dir create_dir_perms; allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:chr_file { getattr create setattr unlink }; allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow ueventd efs_file:dir search; allow ueventd efs_file:file r_file_perms; # Get SELinux enforcing status. r_dir_file(ueventd, selinuxfs) # Access for /vendor/ueventd.rc and /vendor/firmware r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) # Access for /apex/*/firmware allow ueventd apex_mnt_dir:dir r_dir_perms; # Get file contexts for new device nodes allow ueventd file_contexts_file:file r_file_perms; # Use setfscreatecon() to label /dev directories and files. allow ueventd self:process setfscreate; # Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig. allow ueventd proc_cmdline:file r_file_perms; allow ueventd proc_bootconfig:file r_file_perms; # Everything is labeled as rootfs in recovery mode. ueventd has to execute # the dynamic linker and shared libraries. recovery_only(` allow ueventd rootfs:file { r_file_perms execute }; ') # Suppress denials for ueventd to getattr /postinstall. This occurs when the # linker tries to resolve paths in ld.config.txt. dontaudit ueventd postinstall_mnt_dir:dir getattr; # ueventd loads modules in response to modalias events. allow ueventd self:global_capability_class_set sys_module; allow ueventd vendor_file:system module_load; allow ueventd kernel:key search; # ueventd is using bootstrap bionic allow ueventd system_bootstrap_lib_file:dir r_dir_perms; allow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; # Allow ueventd to run shell scripts from vendor allow ueventd vendor_shell_exec:file execute; ##### ##### neverallow rules ##### # Restrict ueventd access on block devices to maintenence operations. neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; # Only relabelto as we would never want to relabelfrom port_device neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; # Nobody should be able to ptrace ueventd neverallow * ueventd:process ptrace; # ueventd should never execute a program without changing to another domain. neverallow ueventd { file_type fs_type }:file execute_no_trans;