Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # ueventd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
| 3 | type ueventd, domain; |
| 4 | tmpfs_domain(ueventd) |
Nick Kralevich | e265197 | 2015-06-06 07:42:37 -0700 | [diff] [blame] | 5 | |
| 6 | # TODO: why is ueventd using __kmsg__ when it should just create |
| 7 | # and use /dev/kmsg instead? |
| 8 | type_transition ueventd device:chr_file klog_device "__kmsg__"; |
| 9 | allow ueventd klog_device:chr_file { create open write unlink }; |
| 10 | |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 11 | security_access_policy(ueventd) |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 12 | allow ueventd init:process sigchld; |
| 13 | allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; |
| 14 | allow ueventd device:file create_file_perms; |
| 15 | allow ueventd device:chr_file rw_file_perms; |
| 16 | allow ueventd sysfs:file rw_file_perms; |
Nick Kralevich | 1d2ff86 | 2014-07-09 23:07:10 -0700 | [diff] [blame] | 17 | allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr }; |
Nick Kralevich | b8bdfde | 2014-07-03 16:10:01 -0700 | [diff] [blame] | 18 | allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms }; |
Stephen Smalley | 9add1f0 | 2014-05-08 13:18:52 -0400 | [diff] [blame] | 19 | allow ueventd sysfs_devices_system_cpu:file rw_file_perms; |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 20 | allow ueventd tmpfs:chr_file rw_file_perms; |
| 21 | allow ueventd dev_type:dir create_dir_perms; |
| 22 | allow ueventd dev_type:lnk_file { create unlink }; |
| 23 | allow ueventd dev_type:chr_file { create setattr unlink }; |
| 24 | allow ueventd dev_type:blk_file { create setattr unlink }; |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 25 | allow ueventd self:netlink_kobject_uevent_socket create_socket_perms; |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 26 | allow ueventd efs_file:dir search; |
| 27 | allow ueventd efs_file:file r_file_perms; |
Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 28 | |
| 29 | # Use setfscreatecon() to label /dev directories and files. |
| 30 | allow ueventd self:process setfscreate; |
Nick Kralevich | 3e113ed | 2015-03-02 20:10:48 -0800 | [diff] [blame] | 31 | |
| 32 | ##### |
| 33 | ##### neverallow rules |
| 34 | ##### |
| 35 | |
| 36 | # ueventd must never set properties, otherwise deadlocks may occur. |
| 37 | # https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 |
| 38 | # No writing to the property socket, connecting to init, or setting properties. |
| 39 | neverallow ueventd property_socket:sock_file write; |
| 40 | neverallow ueventd init:unix_stream_socket connectto; |
| 41 | neverallow ueventd property_type:property_service set; |