Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / d17ff4bde76cbc408791be203794b55b13a93a5b / . / microdroid / sepolicy / system / private / kernel.te
blob: 1d03c4a3491a31704efc5ebe8b9270b5952d0a9d [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]1typeattribute kernel coredomain;
2
3domain_auto_trans(kernel, init_exec, init)
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]4
5# The following sections are for the transition period during a Virtual A/B
6# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
7# context, and with properly labelled devices. This must be done before
8# enabling enforcement, eg, in permissive mode while still in the kernel
9# context.
10allow kernel tmpfs:blk_file { getattr relabelfrom };
11allow kernel tmpfs:chr_file { getattr relabelfrom };
12allow kernel tmpfs:lnk_file { getattr relabelfrom };
13allow kernel tmpfs:dir { open read relabelfrom };
14
15allow kernel block_device:blk_file relabelto;
16allow kernel block_device:lnk_file relabelto;
17allow kernel dm_device:chr_file relabelto;
18allow kernel dm_device:blk_file relabelto;
19allow kernel dm_user_device:dir { read open search relabelto };
20allow kernel dm_user_device:chr_file relabelto;
21allow kernel kmsg_device:chr_file relabelto;
22allow kernel null_device:chr_file relabelto;
23allow kernel random_device:chr_file relabelto;
Inseob Kim4eb56602021-07-09 15:51:12 +0900[diff] [blame]24allow kernel kmsg_device:chr_file write;
Jooyung Han7ce2e532021-06-16 16:52:02 +0900[diff] [blame]25allow kernel vd_device:blk_file read;
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]26
Inseob Kim4eb56602021-07-09 15:51:12 +0900[diff] [blame]27allow kernel self:global_capability_class_set sys_nice;
Jooyung Hand4a7a7a2021-06-17 13:05:36 +0900[diff] [blame]28
Inseob Kim4eb56602021-07-09 15:51:12 +0900[diff] [blame]29# Root fs.
30r_dir_file(kernel, rootfs)
31
32# Used to read androidboot.selinux property
33allow kernel {
34 proc_bootconfig
35 proc_cmdline
36}:file r_file_perms;
37
38# Get SELinux enforcing status.
39allow kernel selinuxfs:dir r_dir_perms;
40allow kernel selinuxfs:file r_file_perms;
41
42# Get file contexts during first stage
43allow kernel file_contexts_file:file r_file_perms;
44
45# Allow init relabel itself.
46allow kernel rootfs:file relabelfrom;
47allow kernel init_exec:file relabelto;
48# TODO: investigate why we need this.
49allow kernel init:process share;
50
51# cgroup filesystem initialization prior to setting the cgroup root directory label.
52allow kernel unlabeled:dir search;
53
54# Initial setenforce by init prior to switching to init domain.
55# We use dontaudit instead of allow to prevent a kernel spawned userspace
56# process from turning off SELinux once enabled.
57dontaudit kernel self:security setenforce;
58
59# Init reboot before switching selinux domains under certain error
60# conditions. Allow it.
61# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
62# remount filesystems read-only. /data is not mounted at this point,
63# so we could ignore this. For now, we allow it.
64allow kernel self:global_capability_class_set sys_boot;
65allow kernel proc_sysrq:file w_file_perms;
66
67# Allow writing to /dev/kmsg which was created prior to loading policy.
68allow kernel tmpfs:chr_file write;
69
70# Set checkreqprot by init.rc prior to switching to init domain.
71allow kernel selinuxfs:file write;
72allow kernel self:security setcheckreqprot;
73
74# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
75allow kernel { sdcard_type fuse }:file { read write };
76
77# Allow the kernel to read APEX file descriptors and (staged) data files;
78# Needed because APEX uses the loopback driver, which issues requests from
79# a kernel thread in earlier kernel version.
80allow kernel apexd:fd use;
81
82#-----------------------------------------
Jooyung Hand4a7a7a2021-06-17 13:05:36 +0900[diff] [blame]83allow kernel apkdmverity:fd use;