1typeattribute ueventd coredomain; 2 3tmpfs_domain(ueventd) 4 5# ueventd can set properties, particularly it sets ro.cold_boot_done to signal 6# to init that cold boot has completed. 7set_prop(ueventd, cold_boot_done_prop) 8 9# Write to /dev/kmsg. 10allow ueventd kmsg_device:chr_file rw_file_perms; 11 12allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; 13allow ueventd device:file create_file_perms; 14 15r_dir_file(ueventd, rootfs) 16 17# ueventd needs write access to files in /sys to regenerate uevents 18allow ueventd sysfs_type:file w_file_perms; 19r_dir_file(ueventd, sysfs_type) 20allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; 21allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; 22allow ueventd tmpfs:chr_file rw_file_perms; 23allow ueventd dev_type:dir create_dir_perms; 24allow ueventd dev_type:lnk_file { create unlink }; 25allow ueventd dev_type:chr_file { getattr create setattr unlink }; 26allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; 27allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 28allow ueventd efs_file:dir search; 29allow ueventd efs_file:file r_file_perms; 30 31# Get SELinux enforcing status. 32r_dir_file(ueventd, selinuxfs) 33 34# Access for /vendor/ueventd.rc and /vendor/firmware 35r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) 36 37# Access for /apex/*/firmware 38allow ueventd apex_mnt_dir:dir r_dir_perms; 39 40# Get file contexts for new device nodes 41allow ueventd file_contexts_file:file r_file_perms; 42 43# Use setfscreatecon() to label /dev directories and files. 44allow ueventd self:process setfscreate; 45 46# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig. 47allow ueventd proc_cmdline:file r_file_perms; 48allow ueventd proc_bootconfig:file r_file_perms; 49 50# Everything is labeled as rootfs in recovery mode. ueventd has to execute 51# the dynamic linker and shared libraries. 52recovery_only(` 53 allow ueventd rootfs:file { r_file_perms execute }; 54') 55 56# Suppress denials for ueventd to getattr /postinstall. This occurs when the 57# linker tries to resolve paths in ld.config.txt. 58dontaudit ueventd postinstall_mnt_dir:dir getattr; 59 60# ueventd loads modules in response to modalias events. 61allow ueventd self:global_capability_class_set sys_module; 62allow ueventd vendor_file:system module_load; 63allow ueventd kernel:key search; 64 65# ueventd is using bootstrap bionic 66use_bootstrap_libs(ueventd) 67 68# Allow ueventd to run shell scripts from vendor 69allow ueventd vendor_shell_exec:file execute; 70 71# Query device-mapper to extract name/uuid in response to uevents. 72allow ueventd dm_device:chr_file rw_file_perms; 73allow ueventd self:capability sys_admin; 74 75# Allow ueventd to read apexd property 76get_prop(ueventd, apexd_prop) 77 78##### 79##### neverallow rules 80##### 81 82# Restrict ueventd access on block devices to maintenence operations. 83neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; 84 85# Only relabelto as we would never want to relabelfrom port_device 86neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; 87 88# Nobody should be able to ptrace ueventd 89neverallow * ueventd:process ptrace; 90 91# ueventd should never execute a program without changing to another domain. 92neverallow ueventd { file_type fs_type }:file execute_no_trans; 93