Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
diff --git a/domain.te b/domain.te
index 19de0c0..7df8e6f 100644
--- a/domain.te
+++ b/domain.te
@@ -187,7 +187,13 @@
} self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:capability mknod;
# Limit raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
diff --git a/healthd.te b/healthd.te
index a1019ee..cd5429b 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,12 +2,10 @@
# it lives in the rootfs and has no unique file type.
type healthd, domain;
-write_klog(healthd)
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by healthd.
-allow healthd tmpfs:chr_file { read write };
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
-allow healthd self:capability { net_admin mknod sys_tty_config };
+allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
diff --git a/slideshow.te b/slideshow.te
index 2b82b3e..86d4bff 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -2,10 +2,10 @@
# it lives in the rootfs and has no unique file type.
type slideshow, domain;
-write_klog(slideshow)
+allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow self:capability sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
diff --git a/te_macros b/te_macros
index 408d9d5..100c734 100644
--- a/te_macros
+++ b/te_macros
@@ -275,17 +275,6 @@
')
#####################################
-# write_klog(domain)
-# Ability to write to kernel log via
-# klog_write()
-# See system/core/libcutil/klog.c
-define(`write_klog', `
-type_transition $1 device:chr_file klog_device "__kmsg__";
-allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { write add_name remove_name };
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/ueventd.te b/ueventd.te
index 23c93ad..f4884d7 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,12 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
tmpfs_domain(ueventd)
-write_klog(ueventd)
+
+# TODO: why is ueventd using __kmsg__ when it should just create
+# and use /dev/kmsg instead?
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+allow ueventd klog_device:chr_file { create open write unlink };
+
security_access_policy(ueventd)
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 9ab00c7..49815c8 100644
--- a/vold.te
+++ b/vold.te
@@ -81,7 +81,7 @@
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
-write_klog(vold)
+allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck.
allow vold fsck_exec:file rx_file_perms;
diff --git a/watchdogd.te b/watchdogd.te
index ab93560..00292a9 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,9 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file rw_file_perms;
-# because of /dev/__kmsg__ and /dev/__null__
-write_klog(watchdogd)
-type_transition watchdogd device:chr_file null_device "__null__";
-allow watchdogd null_device:chr_file { create unlink };
+allow watchdogd kmsg_device:chr_file rw_file_perms;