Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / fca7ea39edc2af80fed5d20a289e00902582356b / . / microdroid / sepolicy / system / private / init.te
blob: ff3f6f590ff828d141c7a723d349d45b1af93159 [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]1typeattribute init coredomain;
2
3tmpfs_domain(init)
4
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]5domain_trans(init, shell_exec, shell)
6domain_trans(init, init_exec, ueventd)
7domain_trans(init, init_exec, vendor_init)
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]8
9# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
10# This is useful in case of remounting ext4 userdata into checkpointing mode,
11# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
12# that userdata is mounted onto.
13allow init sysfs_dm:file read;
14
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]15# Second-stage init performs a test for whether the kernel has SELinux hooks
16# for the perf_event_open() syscall. This is done by testing for the syscall
17# outcomes corresponding to this policy.
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]18allow init self:perf_event { open cpu };
19allow init self:global_capability2_class_set perfmon;
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]20dontaudit init self:perf_event { kernel tracepoint read write };
21
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]22# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
23# /dev/block.
24allow init vd_device:blk_file relabelto;
25
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]26# chown/chmod on devices.
27allow init {
28 dev_type
29 -hw_random_device
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]30 -kvm_device
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]31}:chr_file setattr;
Inseob Kim4eb56602021-07-09 15:51:12 +0900[diff] [blame]32
33# /dev/__null__ node created by init.
34allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
35
36# /dev/__properties__
37allow init properties_device:dir relabelto;
38allow init properties_serial:file { write relabelto };
39allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
40# /dev/__properties__/property_info
41allow init properties_device:file create_file_perms;
42allow init property_info:file relabelto;
43# /dev/event-log-tags
44allow init device:file relabelfrom;
45allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
46# /dev/socket
47allow init { device socket_device dm_user_device }:dir relabelto;
48# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
49allow init { null_device ptmx_device random_device } : chr_file relabelto;
50# /dev/device-mapper, /dev/block(/.*)?
51allow init tmpfs:{ chr_file blk_file } relabelfrom;
52allow init tmpfs:blk_file getattr;
53allow init block_device:{ dir blk_file lnk_file } relabelto;
54allow init dm_device:{ chr_file blk_file } relabelto;
55allow init dm_user_device:chr_file relabelto;
56allow init kernel:fd use;
57# restorecon for early mount device symlinks
58allow init tmpfs:lnk_file { getattr read relabelfrom };
59
60# setrlimit
61allow init self:global_capability_class_set sys_resource;
62
63# Remove /dev/.booting and load /debug_ramdisk/* files
64allow init tmpfs:file { getattr unlink };
65
66# Access pty created for fsck.
67allow init devpts:chr_file { read write open };
68
69# Access /dev/__null__ node created prior to initial policy load.
70allow init tmpfs:chr_file write;
71
72# Access /dev/console.
73allow init console_device:chr_file rw_file_perms;
74
75# Access /dev/tty0.
76allow init tty_device:chr_file rw_file_perms;
77
78# Call mount(2).
79allow init self:global_capability_class_set sys_admin;
80
81# Call setns(2).
82allow init self:global_capability_class_set sys_chroot;
83
84# Create and mount on directories in /.
85allow init rootfs:dir create_dir_perms;
86allow init {
87 rootfs
88 cgroup
89 linkerconfig_file
90 system_data_file
91 system_data_root_file
92 system_file
93 vendor_file
94}:dir mounton;
95
96# Mount bpf fs on sys/fs/bpf
97allow init fs_bpf:dir mounton;
98
99# Mount on /dev/usb-ffs/adb.
100allow init device:dir mounton;
101
102# Mount tmpfs on /apex
103allow init apex_mnt_dir:dir mounton;
104
105# Create and remove symlinks in /.
106allow init rootfs:lnk_file { create unlink };
107
108# Mount debugfs on /sys/kernel/debug.
109allow init sysfs:dir mounton;
110
111# Create cgroups mount points in tmpfs and mount cgroups on them.
112allow init tmpfs:dir create_dir_perms;
113allow init tmpfs:dir mounton;
114allow init cgroup:dir create_dir_perms;
115allow init cgroup:file rw_file_perms;
116allow init cgroup_rc_file:file rw_file_perms;
117allow init cgroup_desc_file:file r_file_perms;
118allow init cgroup_desc_api_file:file r_file_perms;
119allow init cgroup_v2:dir { mounton create_dir_perms};
120allow init cgroup_v2:file rw_file_perms;
121
122# Use tmpfs as /data, used for booting when /data is encrypted
123allow init tmpfs:dir relabelfrom;
124
125# Create directories under /dev/cpuctl after chowning it to system.
126allow init self:global_capability_class_set { dac_override dac_read_search };
127
128allow init self:global_capability_class_set { sys_rawio mknod };
129
130# Mounting filesystems from block devices.
131allow init dev_type:blk_file r_file_perms;
132allowxperm init dev_type:blk_file ioctl BLKROSET;
133
134# Mounting filesystems.
135# Only allow relabelto for types used in context= mount options,
136# which should all be assigned the contextmount_type attribute.
137# This can be done in device-specific policy via type or typeattribute
138# declarations.
139allow init {
140 fs_type
141}:filesystem ~relabelto;
142
143# Allow init to mount tracefs in /sys/kernel/tracing
144allow init debugfs_tracing_debug:filesystem mount;
145
146allow init unlabeled:filesystem ~relabelto;
147allow init contextmount_type:filesystem relabelto;
148
149# Allow read-only access to context= mounted filesystems.
150allow init contextmount_type:dir r_dir_perms;
151allow init contextmount_type:notdevfile_class_set r_file_perms;
152
153# restorecon /adb_keys or any other rootfs files and directories to a more
154# specific type.
155allow init rootfs:{ dir file } relabelfrom;
156
157# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
158# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
159# system/core/init.rc requires at least cache_file and data_file_type.
160# init.<board>.rc files often include device-specific types, so
161# we just allow all file types except /system files here.
162allow init self:global_capability_class_set { chown fowner fsetid };
163
164allow init {
165 file_type
166 -exec_type
167 -system_file_type
168 -vendor_file_type
169}:dir { create search getattr open read setattr ioctl };
170
171allow init {
172 file_type
173 -exec_type
174 -keystore_data_file
175 -shell_data_file
176 -system_file_type
177 -vendor_file_type
178}:dir { write add_name remove_name rmdir relabelfrom };
179
180allow init {
181 file_type
182 -apex_info_file
183 -exec_type
184 -keystore_data_file
185 -runtime_event_log_tags_file
186 -shell_data_file
187 -system_file_type
188 -vendor_file_type
189}:file { create getattr open read write setattr relabelfrom unlink map };
190
191allow init tracefs_type:file { create_file_perms relabelfrom };
192
193allow init {
194 file_type
195 -exec_type
196 -keystore_data_file
197 -shell_data_file
198 -system_file_type
199 -vendor_file_type
200}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
201
202allow init {
203 file_type
204 -apex_mnt_dir
205 -exec_type
206 -keystore_data_file
207 -shell_data_file
208 -system_file_type
209 -vendor_file_type
210}:lnk_file { create getattr setattr relabelfrom unlink };
211
212allow init {
213 file_type
214 -system_file_type
215 -vendor_file_type
216 -exec_type
217}:dir_file_class_set relabelto;
218
219allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
220allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
221allow init dev_type:dir create_dir_perms;
222allow init dev_type:lnk_file create;
223
224# chown/chmod on pseudo files.
225allow init {
226 fs_type
227 -contextmount_type
228 -proc_type
229 -fusefs_type
230 -sysfs_type
231 -rootfs
232}:file { open read setattr };
233allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
234
235allow init {
236 binder_device
237 console_device
238 devpts
239 dm_device
240 hwbinder_device
241 kmsg_device
242 null_device
243 owntty_device
244 ptmx_device
245 random_device
246 tty_device
247 zero_device
248}:chr_file { read open };
249
250# Any operation that can modify the kernel ring buffer, e.g. clear
251# or a read that consumes the messages that were read.
252allow init kernel:system syslog_mod;
253allow init self:global_capability2_class_set syslog;
254
255# init access to /proc.
256r_dir_file(init, proc_net_type)
257allow init proc_filesystems:file r_file_perms;
258
259allow init {
260 proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
261 proc_bootconfig
262 proc_cmdline
263 proc_diskstats
264 proc_kmsg # Open /proc/kmsg for logd service.
265 proc_meminfo
266 proc_stat # Read /proc/stat for bootchart.
267 proc_uptime
268 proc_version
269}:file r_file_perms;
270
271allow init {
272 proc_abi
273 proc_dirty
274 proc_hostname
275 proc_hung_task
276 proc_extra_free_kbytes
277 proc_net_type
278 proc_max_map_count
279 proc_min_free_order_shift
280 proc_overcommit_memory # /proc/sys/vm/overcommit_memory
281 proc_panic
282 proc_page_cluster
283 proc_perf
284 proc_sched
285 proc_sysrq
286}:file w_file_perms;
287
288allow init {
289 proc_security
290}:file rw_file_perms;
291
292# init chmod/chown access to /proc files.
293allow init {
294 proc_cmdline
295 proc_bootconfig
296 proc_kmsg
297 proc_net
298 proc_pagetypeinfo
299 proc_qtaguid_stat
300 proc_slabinfo
301 proc_sysrq
302 proc_qtaguid_ctrl
303 proc_vmallocinfo
304}:file setattr;
305
306# init access to /sys files.
307allow init {
308 sysfs_android_usb
309 sysfs_dm_verity
310 sysfs_leds
311 sysfs_power
312 sysfs_fs_f2fs
313 sysfs_dm
314}:file w_file_perms;
315
316allow init {
317 sysfs_dt_firmware_android
318 sysfs_fs_ext4_features
319}:file r_file_perms;
320
321allow init {
322 sysfs_zram
323}:file rw_file_perms;
324
325# allow init to create loop devices with /dev/loop-control
326allow init loop_control_device:chr_file rw_file_perms;
327allow init loop_device:blk_file rw_file_perms;
328allowxperm init loop_device:blk_file ioctl {
329 LOOP_SET_FD
330 LOOP_CLR_FD
331 LOOP_CTL_GET_FREE
332 LOOP_SET_BLOCK_SIZE
333 LOOP_SET_DIRECT_IO
334 LOOP_GET_STATUS
335};
336
337# init chmod/chown access to /sys files.
338allow init {
339 sysfs_android_usb
340 sysfs_devices_system_cpu
341 sysfs_ipv4
342 sysfs_leds
343 sysfs_lowmemorykiller
344 sysfs_power
345 sysfs_vibrator
346 sysfs_wake_lock
347 sysfs_zram
348}:file setattr;
349
350allow init self:global_capability_class_set net_admin;
351
352# Reboot.
353allow init self:global_capability_class_set sys_boot;
354
355# Support "adb shell stop"
356allow init self:global_capability_class_set kill;
357allow init domain:process { getpgid sigkill signal };
358
359# Init creates keystore's directory on boot, and walks through
360# the directory as part of a recursive restorecon.
361allow init keystore_data_file:dir { open create read getattr setattr search };
362allow init keystore_data_file:file { getattr };
363
364# Init creates /data/local/tmp at boot
365allow init shell_data_file:dir { open create read getattr setattr search };
366allow init shell_data_file:file { getattr };
367
368# Set UID, GID, and adjust capability bounding set for services.
369allow init self:global_capability_class_set { setuid setgid setpcap };
370
371# For bootchart to read the /proc/$pid/cmdline file of each process,
372# we need to have following line to allow init to have access
373# to different domains.
374r_dir_file(init, domain)
375
376# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
377# setexec is for services with seclabel options.
378# setfscreate is for labeling directories and socket files.
379# setsockcreate is for labeling local/unix domain sockets.
380allow init self:process { setexec setfscreate setsockcreate };
381
382# Get file context
383allow init file_contexts_file:file r_file_perms;
384
385# sepolicy access
386allow init sepolicy_file:file r_file_perms;
387
388# Perform SELinux access checks on setting properties.
389selinux_check_access(init)
390
391# Ask the kernel for the new context on services to label their sockets.
392allow init kernel:security compute_create;
393
394# Create sockets for the services.
395allow init domain:unix_stream_socket { create bind setopt };
396allow init domain:unix_dgram_socket { create bind setopt };
397
398# Set any property.
399allow init property_type:property_service set;
400
401# Send an SELinux userspace denial to the kernel audit subsystem,
402# so it can be picked up and processed by logd. These denials are
403# generated when an attempt to set a property is denied by policy.
404allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
405allow init self:global_capability_class_set audit_write;
406
407# Run "ifup lo" to bring up the localhost interface
408allow init self:udp_socket { create ioctl };
409# in addition to unpriv ioctls granted to all domains, init also needs:
410allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
411allow init self:global_capability_class_set net_raw;
412
413# Set scheduling info for psi monitor thread.
414# TODO: delete or revise this line b/131761776
415allow init kernel:process { getsched setsched };
416
417# Create and access /dev files without a specific type,
418# e.g. /dev/.coldboot_done, /dev/.booting
419# TODO: Move these files into their own type unless they are
420# only ever accessed by init.
421allow init device:file create_file_perms;
422
423# Access device mapper for setting up dm-verity
424allow init dm_device:chr_file rw_file_perms;
425allow init dm_device:blk_file rw_file_perms;
426
427# linux keyring configuration
428allow init init:key { write search setattr };
429
430r_dir_file(init, system_file)
431r_dir_file(init, vendor_file_type)
432
433allow init system_data_file:file { getattr read };
434allow init system_data_file:lnk_file r_file_perms;
435
436# Allow init to touch PSI monitors
437allow init proc_pressure_mem:file { rw_file_perms setattr };
438
439# init is using bootstrap bionic
440allow init system_bootstrap_lib_file:dir r_dir_perms;
441allow init system_bootstrap_lib_file:file { execute read open getattr map };
442
443# stat the root dir of fuse filesystems (for the mount handler)
444allow init fuse:dir { search getattr };
445
446set_prop(init, property_type)