| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame^] | 1 | typeattribute init coredomain; |
| 2 | |
| 3 | tmpfs_domain(init) |
| 4 | |
| 5 | # Transitions to seclabel processes in init.rc |
| 6 | domain_trans(init, rootfs, healthd) |
| 7 | domain_trans(init, rootfs, slideshow) |
| 8 | domain_auto_trans(init, charger_exec, charger) |
| 9 | domain_auto_trans(init, e2fs_exec, e2fs) |
| 10 | domain_auto_trans(init, bpfloader_exec, bpfloader) |
| 11 | |
| 12 | recovery_only(` |
| 13 | # Files in recovery image are labeled as rootfs. |
| 14 | domain_trans(init, rootfs, adbd) |
| 15 | domain_trans(init, rootfs, charger) |
| 16 | domain_trans(init, rootfs, fastbootd) |
| 17 | domain_trans(init, rootfs, recovery) |
| 18 | domain_trans(init, rootfs, linkerconfig) |
| 19 | domain_trans(init, rootfs, snapuserd) |
| 20 | ') |
| 21 | domain_trans(init, shell_exec, shell) |
| 22 | domain_trans(init, init_exec, ueventd) |
| 23 | domain_trans(init, init_exec, vendor_init) |
| 24 | domain_trans(init, { rootfs toolbox_exec }, modprobe) |
| 25 | userdebug_or_eng(` |
| 26 | # case where logpersistd is actually logcat -f in logd context (nee: logcatd) |
| 27 | domain_auto_trans(init, logcat_exec, logpersist) |
| 28 | |
| 29 | # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng |
| 30 | allow init su:process transition; |
| 31 | dontaudit init su:process noatsecure; |
| 32 | allow init su:process { siginh rlimitinh }; |
| 33 | ') |
| 34 | |
| 35 | # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. |
| 36 | # This is useful in case of remounting ext4 userdata into checkpointing mode, |
| 37 | # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) |
| 38 | # that userdata is mounted onto. |
| 39 | allow init sysfs_dm:file read; |
| 40 | |
| 41 | # Allow init to write to the drop_caches file. |
| 42 | allow init proc_drop_caches:file rw_file_perms; |
| 43 | |
| 44 | # Allow the BoringSSL self test to request a reboot upon failure |
| 45 | set_prop(init, powerctl_prop) |
| 46 | |
| 47 | # Only init is allowed to set userspace reboot related properties. |
| 48 | set_prop(init, userspace_reboot_exported_prop) |
| 49 | neverallow { domain -init } userspace_reboot_exported_prop:property_service set; |
| 50 | |
| 51 | # Second-stage init performs a test for whether the kernel has SELinux hooks |
| 52 | # for the perf_event_open() syscall. This is done by testing for the syscall |
| 53 | # outcomes corresponding to this policy. |
| 54 | # TODO(b/137092007): this can be removed once the platform stops supporting |
| 55 | # kernels that precede the perf_event_open hooks (Android common kernels 4.4 |
| 56 | # and 4.9). |
| 57 | allow init self:perf_event { open cpu }; |
| 58 | allow init self:global_capability2_class_set perfmon; |
| 59 | neverallow init self:perf_event { kernel tracepoint read write }; |
| 60 | dontaudit init self:perf_event { kernel tracepoint read write }; |
| 61 | |
| 62 | # Allow init to communicate with snapuserd to transition Virtual A/B devices |
| 63 | # from the first-stage daemon to the second-stage. |
| 64 | allow init snapuserd_socket:sock_file write; |
| 65 | allow init snapuserd:unix_stream_socket connectto; |
| 66 | # Allow for libsnapshot's use of flock() on /metadata/ota. |
| 67 | allow init ota_metadata_file:dir lock; |
| 68 | |
| 69 | # Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling |
| 70 | # /dev/block. |
| 71 | allow init vd_device:blk_file relabelto; |
| 72 | |
| 73 | # Only init is allowed to set the sysprop indicating whether perf_event_open() |
| 74 | # SELinux hooks were detected. |
| 75 | set_prop(init, init_perf_lsm_hooks_prop) |
| 76 | neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; |
| 77 | |
| 78 | # Only init can write vts.native_server.on |
| 79 | set_prop(init, vts_status_prop) |
| 80 | neverallow { domain -init } vts_status_prop:property_service set; |
| 81 | |
| 82 | # Only init can write normal ro.boot. properties |
| 83 | neverallow { domain -init } bootloader_prop:property_service set; |
| 84 | |
| 85 | # Only init can write hal.instrumentation.enable |
| 86 | neverallow { domain -init } hal_instrumentation_prop:property_service set; |
| 87 | |
| 88 | # Only init can write ro.property_service.version |
| 89 | neverallow { domain -init } property_service_version_prop:property_service set; |
| 90 | |
| 91 | # Only init can set keystore.boot_level |
| 92 | neverallow { domain -init } keystore_listen_prop:property_service set; |
| 93 | |
| 94 | # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. |
| 95 | allow init debugfs_bootreceiver_tracing:file w_file_perms; |
| 96 | |
| 97 | # chown/chmod on devices. |
| 98 | allow init { |
| 99 | dev_type |
| 100 | -hw_random_device |
| 101 | -keychord_device |
| 102 | -kvm_device |
| 103 | -port_device |
| 104 | }:chr_file setattr; |