1# ueventd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type ueventd, domain; 4type ueventd_tmpfs, file_type; 5 6# Write to /dev/kmsg. 7allow ueventd kmsg_device:chr_file rw_file_perms; 8 9allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; 10allow ueventd device:file create_file_perms; 11 12r_dir_file(ueventd, rootfs) 13 14# ueventd needs write access to files in /sys to regenerate uevents 15allow ueventd sysfs_type:file w_file_perms; 16r_dir_file(ueventd, sysfs_type) 17allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; 18allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; 19allow ueventd tmpfs:chr_file rw_file_perms; 20allow ueventd dev_type:dir create_dir_perms; 21allow ueventd dev_type:lnk_file { create unlink }; 22allow ueventd dev_type:chr_file { getattr create setattr unlink }; 23allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; 24allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 25allow ueventd efs_file:dir search; 26allow ueventd efs_file:file r_file_perms; 27 28# Get SELinux enforcing status. 29r_dir_file(ueventd, selinuxfs) 30 31# Access for /vendor/ueventd.rc and /vendor/firmware 32r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) 33 34# Get file contexts for new device nodes 35allow ueventd file_contexts_file:file r_file_perms; 36 37# Use setfscreatecon() to label /dev directories and files. 38allow ueventd self:process setfscreate; 39 40# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline. 41allow ueventd proc_cmdline:file r_file_perms; 42 43# Everything is labeled as rootfs in recovery mode. ueventd has to execute 44# the dynamic linker and shared libraries. 45recovery_only(` 46 allow ueventd rootfs:file { r_file_perms execute }; 47') 48 49# Suppress denials for ueventd to getattr /postinstall. This occurs when the 50# linker tries to resolve paths in ld.config.txt. 51dontaudit ueventd postinstall_mnt_dir:dir getattr; 52 53# ueventd loads modules in response to modalias events. 54allow ueventd self:global_capability_class_set sys_module; 55allow ueventd vendor_file:system module_load; 56allow ueventd kernel:key search; 57 58# ueventd is using bootstrap bionic 59allow ueventd system_bootstrap_lib_file:dir r_dir_perms; 60allow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; 61 62# Allow ueventd to run shell scripts from vendor 63allow ueventd vendor_shell_exec:file execute; 64 65##### 66##### neverallow rules 67##### 68 69# Restrict ueventd access on block devices to maintenence operations. 70neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; 71 72# Only relabelto as we would never want to relabelfrom port_device 73neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; 74 75# Nobody should be able to ptrace ueventd 76neverallow * ueventd:process ptrace; 77 78# ueventd should never execute a program without changing to another domain. 79neverallow ueventd { file_type fs_type }:file execute_no_trans; 80