From 0e3235f45de11e8f1e7e263e433548450065f255 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 6 Dec 2017 17:00:59 +0000
Subject: [PATCH] init: remove open, read, write access to 'sysfs' type.

Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 70040773
Bug: 65643247
Change-Id: I68e2e796f5599c9d281897759c8d8eef9363559a
Test: walleye boots with no denials from init to sysfs.
---
 private/genfs_contexts |  1 +
 public/init.te         | 27 ++++++++++++++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/private/genfs_contexts b/private/genfs_contexts
index b76b14575..dbff4679b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -101,6 +101,7 @@ genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
 genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
diff --git a/public/init.te b/public/init.te
index 11953a4f6..62a6e04e2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -211,6 +211,7 @@ allow init {
   -contextmount_type
   -proc
   -sdcard_type
+  -sysfs
   -rootfs
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
@@ -292,6 +293,24 @@ allow init {
   proc_security
 }:file rw_file_perms;
 
+# init access to /sys files.
+allow init {
+  sysfs_android_usb
+  sysfs_leds
+  sysfs_power
+  sysfs_zram
+}:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+  sysfs_android_usb
+  sysfs_devices_system_cpu
+  sysfs_ipv4
+  sysfs_leds
+  sysfs_lowmemorykiller
+  sysfs_power
+}:file setattr;
+
 # Set usermodehelpers.
 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 
@@ -300,11 +319,6 @@ allow init self:global_capability_class_set net_admin;
 # Reboot.
 allow init self:global_capability_class_set sys_boot;
 
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
-
 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
@@ -458,3 +472,6 @@ neverallow init servicemanager:service_manager list;
 
 # Init should not be creating subdirectories in /data/local/tmp
 neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open read write };
-- 
GitLab