Blame - ueventd.te - fp2-dev/platform/external/sepolicy

blob: f4884d70345aad4c0861618862c825819f74d555 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# ueventd seclabel is specified in init.rc since
				2	# it lives in the rootfs and has no unique file type.
				3	type ueventd, domain;
				4	tmpfs_domain(ueventd)
Nick Kralevich	e265197	2015-06-06 07:42:37 -0700	[diff] [blame]	5
				6	# TODO: why is ueventd using __kmsg__ when it should just create
				7	# and use /dev/kmsg instead?
				8	type_transition ueventd device:chr_file klog_device "__kmsg__";
				9	allow ueventd klog_device:chr_file { create open write unlink };
				10
William Roberts	85c5fc2	2013-10-06 15:36:11 -0400	[diff] [blame]	11	security_access_policy(ueventd)
William Roberts	85c5fc2	2013-10-06 15:36:11 -0400	[diff] [blame]	12	allow ueventd init:process sigchld;
				13	allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
				14	allow ueventd device:file create_file_perms;
				15	allow ueventd device:chr_file rw_file_perms;
				16	allow ueventd sysfs:file rw_file_perms;
Nick Kralevich	1d2ff86	2014-07-09 23:07:10 -0700	[diff] [blame]	17	allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
Nick Kralevich	b8bdfde	2014-07-03 16:10:01 -0700	[diff] [blame]	18	allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
Stephen Smalley	9add1f0	2014-05-08 13:18:52 -0400	[diff] [blame]	19	allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
William Roberts	85c5fc2	2013-10-06 15:36:11 -0400	[diff] [blame]	20	allow ueventd tmpfs:chr_file rw_file_perms;
				21	allow ueventd dev_type:dir create_dir_perms;
				22	allow ueventd dev_type:lnk_file { create unlink };
				23	allow ueventd dev_type:chr_file { create setattr unlink };
				24	allow ueventd dev_type:blk_file { create setattr unlink };
Stephen Smalley	1601132	2014-02-24 15:06:11 -0500	[diff] [blame]	25	allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
William Roberts	85c5fc2	2013-10-06 15:36:11 -0400	[diff] [blame]	26	allow ueventd efs_file:dir search;
				27	allow ueventd efs_file:file r_file_perms;
Stephen Smalley	356f4be	2014-05-23 11:26:19 -0400	[diff] [blame]	28
				29	# Use setfscreatecon() to label /dev directories and files.
				30	allow ueventd self:process setfscreate;
Nick Kralevich	3e113ed	2015-03-02 20:10:48 -0800	[diff] [blame]	31
				32	#####
				33	##### neverallow rules
				34	#####
				35
				36	# ueventd must never set properties, otherwise deadlocks may occur.
				37	# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
				38	# No writing to the property socket, connecting to init, or setting properties.
				39	neverallow ueventd property_socket:sock_file write;
				40	neverallow ueventd init:unix_stream_socket connectto;
				41	neverallow ueventd property_type:property_service set;