1*e4a36f41SAndroid Build Coastguard Worker# ueventd seclabel is specified in init.rc since 2*e4a36f41SAndroid Build Coastguard Worker# it lives in the rootfs and has no unique file type. 3*e4a36f41SAndroid Build Coastguard Workertype ueventd, domain; 4*e4a36f41SAndroid Build Coastguard Workertype ueventd_tmpfs, file_type; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Write to /dev/kmsg. 7*e4a36f41SAndroid Build Coastguard Workerallow ueventd kmsg_device:chr_file rw_file_perms; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Workerallow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; 10*e4a36f41SAndroid Build Coastguard Workerallow ueventd device:file create_file_perms; 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Workerr_dir_file(ueventd, rootfs) 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# ueventd needs write access to files in /sys to regenerate uevents 15*e4a36f41SAndroid Build Coastguard Workerallow ueventd sysfs_type:file w_file_perms; 16*e4a36f41SAndroid Build Coastguard Workerr_dir_file(ueventd, sysfs_type) 17*e4a36f41SAndroid Build Coastguard Workerallow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; 18*e4a36f41SAndroid Build Coastguard Workerallow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; 19*e4a36f41SAndroid Build Coastguard Workerallow ueventd tmpfs:chr_file rw_file_perms; 20*e4a36f41SAndroid Build Coastguard Workerallow ueventd dev_type:dir create_dir_perms; 21*e4a36f41SAndroid Build Coastguard Workerallow ueventd dev_type:lnk_file { create unlink }; 22*e4a36f41SAndroid Build Coastguard Workerallow ueventd dev_type:chr_file { getattr create setattr unlink }; 23*e4a36f41SAndroid Build Coastguard Workerallow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; 24*e4a36f41SAndroid Build Coastguard Workerallow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 25*e4a36f41SAndroid Build Coastguard Workerallow ueventd efs_file:dir search; 26*e4a36f41SAndroid Build Coastguard Workerallow ueventd efs_file:file r_file_perms; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Get SELinux enforcing status. 29*e4a36f41SAndroid Build Coastguard Workerr_dir_file(ueventd, selinuxfs) 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Access for /vendor/ueventd.rc and /vendor/firmware 32*e4a36f41SAndroid Build Coastguard Workerr_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Get file contexts for new device nodes 35*e4a36f41SAndroid Build Coastguard Workerallow ueventd file_contexts_file:file r_file_perms; 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker# Use setfscreatecon() to label /dev directories and files. 38*e4a36f41SAndroid Build Coastguard Workerallow ueventd self:process setfscreate; 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline. 41*e4a36f41SAndroid Build Coastguard Workerallow ueventd proc_cmdline:file r_file_perms; 42*e4a36f41SAndroid Build Coastguard Worker 43*e4a36f41SAndroid Build Coastguard Worker# Everything is labeled as rootfs in recovery mode. ueventd has to execute 44*e4a36f41SAndroid Build Coastguard Worker# the dynamic linker and shared libraries. 45*e4a36f41SAndroid Build Coastguard Workerrecovery_only(` 46*e4a36f41SAndroid Build Coastguard Worker allow ueventd rootfs:file { r_file_perms execute }; 47*e4a36f41SAndroid Build Coastguard Worker') 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker# Suppress denials for ueventd to getattr /postinstall. This occurs when the 50*e4a36f41SAndroid Build Coastguard Worker# linker tries to resolve paths in ld.config.txt. 51*e4a36f41SAndroid Build Coastguard Workerdontaudit ueventd postinstall_mnt_dir:dir getattr; 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker# ueventd loads modules in response to modalias events. 54*e4a36f41SAndroid Build Coastguard Workerallow ueventd self:global_capability_class_set sys_module; 55*e4a36f41SAndroid Build Coastguard Workerallow ueventd vendor_file:system module_load; 56*e4a36f41SAndroid Build Coastguard Workerallow ueventd kernel:key search; 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Worker# ueventd is using bootstrap bionic 59*e4a36f41SAndroid Build Coastguard Workerallow ueventd system_bootstrap_lib_file:dir r_dir_perms; 60*e4a36f41SAndroid Build Coastguard Workerallow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker# ueventd can set properties, particularly it sets ro.cold_boot_done to signal 63*e4a36f41SAndroid Build Coastguard Worker# to init that cold boot has completed. 64*e4a36f41SAndroid Build Coastguard Workerset_prop(ueventd, cold_boot_done_prop) 65*e4a36f41SAndroid Build Coastguard Worker 66*e4a36f41SAndroid Build Coastguard Worker# Allow ueventd to run shell scripts from vendor 67*e4a36f41SAndroid Build Coastguard Workerallow ueventd vendor_shell_exec:file execute; 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Worker##### 70*e4a36f41SAndroid Build Coastguard Worker##### neverallow rules 71*e4a36f41SAndroid Build Coastguard Worker##### 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# Restrict ueventd access on block devices to maintenence operations. 74*e4a36f41SAndroid Build Coastguard Workerneverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; 75*e4a36f41SAndroid Build Coastguard Worker 76*e4a36f41SAndroid Build Coastguard Worker# Only relabelto as we would never want to relabelfrom port_device 77*e4a36f41SAndroid Build Coastguard Workerneverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; 78*e4a36f41SAndroid Build Coastguard Worker 79*e4a36f41SAndroid Build Coastguard Worker# Nobody should be able to ptrace ueventd 80*e4a36f41SAndroid Build Coastguard Workerneverallow * ueventd:process ptrace; 81*e4a36f41SAndroid Build Coastguard Worker 82*e4a36f41SAndroid Build Coastguard Worker# ueventd should never execute a program without changing to another domain. 83*e4a36f41SAndroid Build Coastguard Workerneverallow ueventd { file_type fs_type }:file execute_no_trans; 84