• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# ueventd seclabel is specified in init.rc since
2# it lives in the rootfs and has no unique file type.
3type ueventd, domain;
4type ueventd_tmpfs, file_type;
5
6# Write to /dev/kmsg.
7allow ueventd kmsg_device:chr_file rw_file_perms;
8
9allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
10allow ueventd device:file create_file_perms;
11
12r_dir_file(ueventd, rootfs)
13
14# ueventd needs write access to files in /sys to regenerate uevents
15allow ueventd sysfs_type:file w_file_perms;
16r_dir_file(ueventd, sysfs_type)
17allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
18allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
19allow ueventd tmpfs:chr_file rw_file_perms;
20allow ueventd dev_type:dir create_dir_perms;
21allow ueventd dev_type:lnk_file { create unlink };
22allow ueventd dev_type:chr_file { getattr create setattr unlink };
23allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
24allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
25allow ueventd efs_file:dir search;
26allow ueventd efs_file:file r_file_perms;
27
28# Get SELinux enforcing status.
29r_dir_file(ueventd, selinuxfs)
30
31# Access for /vendor/ueventd.rc and /vendor/firmware
32r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
33
34# Access for /apex/*/firmware
35allow ueventd apex_mnt_dir:dir r_dir_perms;
36
37# Get file contexts for new device nodes
38allow ueventd file_contexts_file:file r_file_perms;
39
40# Use setfscreatecon() to label /dev directories and files.
41allow ueventd self:process setfscreate;
42
43# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
44allow ueventd proc_cmdline:file r_file_perms;
45allow ueventd proc_bootconfig:file r_file_perms;
46
47# Everything is labeled as rootfs in recovery mode. ueventd has to execute
48# the dynamic linker and shared libraries.
49recovery_only(`
50  allow ueventd rootfs:file { r_file_perms execute };
51')
52
53# Suppress denials for ueventd to getattr /postinstall. This occurs when the
54# linker tries to resolve paths in ld.config.txt.
55dontaudit ueventd postinstall_mnt_dir:dir getattr;
56
57# ueventd loads modules in response to modalias events.
58allow ueventd self:global_capability_class_set sys_module;
59allow ueventd vendor_file:system module_load;
60allow ueventd kernel:key search;
61
62# ueventd is using bootstrap bionic
63use_bootstrap_libs(ueventd)
64
65# Allow ueventd to run shell scripts from vendor
66allow ueventd vendor_shell_exec:file execute;
67
68#####
69##### neverallow rules
70#####
71
72# Restrict ueventd access on block devices to maintenence operations.
73neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
74
75# Only relabelto as we would never want to relabelfrom port_device
76neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
77
78# Nobody should be able to ptrace ueventd
79neverallow * ueventd:process ptrace;
80
81# ueventd should never execute a program without changing to another domain.
82neverallow ueventd { file_type fs_type }:file execute_no_trans;
83