From ece21859fc7a59c3eab2f352c2a51c34e37f8f3f Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 12 Jul 2017 10:37:57 -0700
Subject: [PATCH] create separate usermodehelper type for sysfs

Prevent files in /proc from incorrectly having sysfs_type attribute.

Rework neverallows so that ueventd has write access to all of
/sys which it needs to handle uevents.

Bug: 63147833
Test: Build. Flash angler, verify files are correctly labeled and no
    new denials are in the logs.

Change-Id: Ib94d44e78cee0e83e2ac924f1c72e611e8e73558
---
 prebuilts/api/26.0/26.0.cil |  2 +-
 private/genfs_contexts      |  2 +-
 public/domain.te            |  1 +
 public/file.te              |  3 ++-
 public/init.te              |  2 +-
 public/ueventd.te           | 14 ++++++--------
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
index 5242b468d..4a78695ff 100644
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -645,7 +645,7 @@
 (typeattributeset usbfs_26_0 (usbfs))
 (typeattributeset usb_service_26_0 (usb_service))
 (typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (usermodehelper))
+(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
 (typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
 (typeattributeset user_service_26_0 (user_service))
 (typeattributeset vcs_device_26_0 (vcs_device))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3914cec7d..e77a39b92 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -59,7 +59,7 @@ genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
diff --git a/public/domain.te b/public/domain.te
index 3dae729c5..e6c72694c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -317,6 +317,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append open read write };
 
 # No domain should be allowed to ptrace init.
diff --git a/public/file.te b/public/file.te
index 20aea9d12..dfc5bcd9f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -9,7 +9,8 @@ type proc_security, fs_type;
 type proc_drop_caches, fs_type;
 type proc_overcommit_memory, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
+type usermodehelper, fs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
diff --git a/public/init.te b/public/init.te
index 1903cfd74..e6162a939 100644
--- a/public/init.te
+++ b/public/init.te
@@ -252,7 +252,7 @@ allow init kernel:system syslog_mod;
 allow init self:capability2 syslog;
 
 # Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
 # Write to /proc/sys/kernel/panic_on_oops.
diff --git a/public/ueventd.te b/public/ueventd.te
index da2695f14..212087e52 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -8,15 +8,13 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 
-r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
-- 
GitLab