prebuilts/api/202404/public/ueventd.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 type ueventd_tmpfs, file_type;

 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;

 allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
 allow ueventd device:file create_file_perms;

 r_dir_file(ueventd, rootfs)

 # ueventd needs write access to files in /sys to regenerate uevents
 allow ueventd sysfs_type:file w_file_perms;
 r_dir_file(ueventd, sysfs_type)
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { getattr create setattr unlink };
 allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;

 # Get SELinux enforcing status.
 r_dir_file(ueventd, selinuxfs)

 # Access for /vendor/ueventd.rc and /vendor/firmware
 r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })

 # Access for /apex/*/firmware
 allow ueventd apex_mnt_dir:dir r_dir_perms;

 # Get file contexts for new device nodes
 allow ueventd file_contexts_file:file r_file_perms;

 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;

 # Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
 allow ueventd proc_cmdline:file r_file_perms;
 allow ueventd proc_bootconfig:file r_file_perms;

 # Everything is labeled as rootfs in recovery mode. ueventd has to execute
 # the dynamic linker and shared libraries.
 recovery_only(`
   allow ueventd rootfs:file { r_file_perms execute };
 ')

 # Suppress denials for ueventd to getattr /postinstall. This occurs when the
 # linker tries to resolve paths in ld.config.txt.
 dontaudit ueventd postinstall_mnt_dir:dir getattr;

 # ueventd loads modules in response to modalias events.
 allow ueventd self:global_capability_class_set sys_module;
 allow ueventd vendor_file:system module_load;
 allow ueventd kernel:key search;

 # ueventd is using bootstrap bionic
 use_bootstrap_libs(ueventd)

 # Allow ueventd to run shell scripts from vendor
 allow ueventd vendor_shell_exec:file execute;

 # Query device-mapper to extract name/uuid in response to uevents.
 allow ueventd dm_device:chr_file rw_file_perms;
 allow ueventd self:capability sys_admin;

 # Allow ueventd to read apexd property
 get_prop(ueventd, apexd_prop)

 #####
 ##### neverallow rules
 #####

 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

 # Only relabelto as we would never want to relabelfrom port_device
 neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };

 # Nobody should be able to ptrace ueventd
 neverallow * ueventd:process ptrace;

 # ueventd should never execute a program without changing to another domain.
 neverallow ueventd { file_type fs_type }:file execute_no_trans;
	# ueventd seclabel is specified in init.rc since
	# it lives in the rootfs and has no unique file type.
	type ueventd, domain;
	type ueventd_tmpfs, file_type;

	# Write to /dev/kmsg.
	allow ueventd kmsg_device:chr_file rw_file_perms;

	allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
	allow ueventd device:file create_file_perms;

	r_dir_file(ueventd, rootfs)

	# ueventd needs write access to files in /sys to regenerate uevents
	allow ueventd sysfs_type:file w_file_perms;
	r_dir_file(ueventd, sysfs_type)
	allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
	allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
	allow ueventd tmpfs:chr_file rw_file_perms;
	allow ueventd dev_type:dir create_dir_perms;
	allow ueventd dev_type:lnk_file { create unlink };
	allow ueventd dev_type:chr_file { getattr create setattr unlink };
	allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
	allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
	allow ueventd efs_file:dir search;
	allow ueventd efs_file:file r_file_perms;

	# Get SELinux enforcing status.
	r_dir_file(ueventd, selinuxfs)

	# Access for /vendor/ueventd.rc and /vendor/firmware
	r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })

	# Access for /apex/*/firmware
	allow ueventd apex_mnt_dir:dir r_dir_perms;

	# Get file contexts for new device nodes
	allow ueventd file_contexts_file:file r_file_perms;

	# Use setfscreatecon() to label /dev directories and files.
	allow ueventd self:process setfscreate;

	# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
	allow ueventd proc_cmdline:file r_file_perms;
	allow ueventd proc_bootconfig:file r_file_perms;

	# Everything is labeled as rootfs in recovery mode. ueventd has to execute
	# the dynamic linker and shared libraries.
	recovery_only(`
	allow ueventd rootfs:file { r_file_perms execute };
	')

	# Suppress denials for ueventd to getattr /postinstall. This occurs when the
	# linker tries to resolve paths in ld.config.txt.
	dontaudit ueventd postinstall_mnt_dir:dir getattr;

	# ueventd loads modules in response to modalias events.
	allow ueventd self:global_capability_class_set sys_module;
	allow ueventd vendor_file:system module_load;
	allow ueventd kernel:key search;

	# ueventd is using bootstrap bionic
	use_bootstrap_libs(ueventd)

	# Allow ueventd to run shell scripts from vendor
	allow ueventd vendor_shell_exec:file execute;

	# Query device-mapper to extract name/uuid in response to uevents.
	allow ueventd dm_device:chr_file rw_file_perms;
	allow ueventd self:capability sys_admin;

	# Allow ueventd to read apexd property
	get_prop(ueventd, apexd_prop)

	#####
	##### neverallow rules
	#####

	# Restrict ueventd access on block devices to maintenence operations.
	neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

	# Only relabelto as we would never want to relabelfrom port_device
	neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };

	# Nobody should be able to ptrace ueventd
	neverallow * ueventd:process ptrace;

	# ueventd should never execute a program without changing to another domain.
	neverallow ueventd { file_type fs_type }:file execute_no_trans;