Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 27b515e70a5f26b15cf9077328eff6bee74b01c7 / . / private / init.te
blob: 96fd5c55c8926271a907869b0fe5174e96bfbd6e [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute init coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3tmpfs_domain(init)
4
5# Transitions to seclabel processes in init.rc
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]6domain_trans(init, rootfs, slideshow)
Tao Baoecc7e8c2018-09-07 15:05:33 -0700[diff] [blame]7domain_auto_trans(init, charger_exec, charger)
Jin Qian4de505b2017-05-02 13:45:08 -0700[diff] [blame]8domain_auto_trans(init, e2fs_exec, e2fs)
Joel Fernandes147cf642018-11-29 13:07:40 -0800[diff] [blame]9domain_auto_trans(init, bpfloader_exec, bpfloader)
10
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]11recovery_only(`
Tao Baoecc7e8c2018-09-07 15:05:33 -0700[diff] [blame]12 # Files in recovery image are labeled as rootfs.
Bowgo Tsai5846c792017-07-31 18:38:28 +0800[diff] [blame]13 domain_trans(init, rootfs, adbd)
Kelvin Zhang19a57852022-08-30 00:12:26 +0000[diff] [blame]14 domain_trans(init, rootfs, hal_bootctl_server)
Tao Baoecc7e8c2018-09-07 15:05:33 -0700[diff] [blame]15 domain_trans(init, rootfs, charger)
Jerry Zhang1d85efa2018-05-29 10:54:16 -0700[diff] [blame]16 domain_trans(init, rootfs, fastbootd)
Sandeep Dhavalef0ea9532022-11-08 23:57:09 +0000[diff] [blame]17 domain_trans(init, rootfs, hal_fastboot_server)
Yifan Hong705db2b2021-11-15 18:56:22 -0800[diff] [blame]18 domain_trans(init, rootfs, hal_health_server)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]19 domain_trans(init, rootfs, recovery)
Kiyoung Kim2c271aa2019-12-09 14:57:46 +0900[diff] [blame]20 domain_trans(init, rootfs, linkerconfig)
Yifan Hongd6b29012021-11-13 00:22:01 -0800[diff] [blame]21 domain_trans(init, rootfs, servicemanager)
David Andersond84b67e2021-02-04 12:30:09 -0800[diff] [blame]22 domain_trans(init, rootfs, snapuserd)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]23')
24domain_trans(init, shell_exec, shell)
25domain_trans(init, init_exec, ueventd)
Tom Cherry621c24c2017-09-28 14:34:36 -0700[diff] [blame]26domain_trans(init, init_exec, vendor_init)
Sandeep Patile41af202017-06-02 16:09:26 -0700[diff] [blame]27domain_trans(init, { rootfs toolbox_exec }, modprobe)
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]28userdebug_or_eng(`
Tom Cherry938ab052018-08-03 10:49:20 -0700[diff] [blame]29 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
Mark Salyzynda62cb42016-08-10 11:10:02 -0700[diff] [blame]30 domain_auto_trans(init, logcat_exec, logpersist)
Tom Cherry938ab052018-08-03 10:49:20 -0700[diff] [blame]31
32 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
33 allow init su:process transition;
34 dontaudit init su:process noatsecure;
35 allow init su:process { siginh rlimitinh };
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]36')
Branden Archerd36b1d52018-11-27 15:47:12 -0800[diff] [blame]37
Nikita Ioffe23ba9762019-12-09 21:21:55 +0000[diff] [blame]38# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
39# This is useful in case of remounting ext4 userdata into checkpointing mode,
40# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
41# that userdata is mounted onto.
42allow init sysfs_dm:file read;
43
Bart Van Assche9059e212021-07-29 14:53:51 -0700[diff] [blame]44# Allow init to modify the properties of loop devices.
45allow init sysfs_loop:dir r_dir_perms;
46allow init sysfs_loop:file rw_file_perms;
47
Bart Van Assche60b7d9a2021-10-13 16:21:54 +0000[diff] [blame]48# Allow init to examine the properties of block devices.
Bart Van Assche398b0af2021-10-13 10:56:57 -0700[diff] [blame]49allow init sysfs_type:file { getattr read };
50# Allow init get the attributes of block devices in /dev/block.
51allow init dev_type:dir r_dir_perms;
52allow init dev_type:blk_file getattr;
Bart Van Assche60b7d9a2021-10-13 16:21:54 +0000[diff] [blame]53
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800[diff] [blame]54# Allow init to write to the drop_caches file.
55allow init proc_drop_caches:file rw_file_perms;
56
Branden Archerd36b1d52018-11-27 15:47:12 -0800[diff] [blame]57# Allow the BoringSSL self test to request a reboot upon failure
58set_prop(init, powerctl_prop)
Nikita Ioffe7065e462019-11-14 12:59:15 +0000[diff] [blame]59
Nikita Ioffe7065e462019-11-14 12:59:15 +0000[diff] [blame]60set_prop(init, userspace_reboot_exported_prop)
Ryan Savitski52b3d312020-01-14 18:20:06 +0000[diff] [blame]61
62# Second-stage init performs a test for whether the kernel has SELinux hooks
63# for the perf_event_open() syscall. This is done by testing for the syscall
64# outcomes corresponding to this policy.
65# TODO(b/137092007): this can be removed once the platform stops supporting
66# kernels that precede the perf_event_open hooks (Android common kernels 4.4
67# and 4.9).
68allow init self:perf_event { open cpu };
Alistair Delva178f0ac2020-06-05 10:15:30 -0700[diff] [blame]69allow init self:global_capability2_class_set perfmon;
Ryan Savitski52b3d312020-01-14 18:20:06 +0000[diff] [blame]70
David Anderson0c0c13a2020-10-30 00:12:22 -0700[diff] [blame]71# Allow init to communicate with snapuserd to transition Virtual A/B devices
72# from the first-stage daemon to the second-stage.
73allow init snapuserd_socket:sock_file write;
74allow init snapuserd:unix_stream_socket connectto;
75# Allow for libsnapshot's use of flock() on /metadata/ota.
76allow init ota_metadata_file:dir lock;
77
Jooyung Hanb62be122021-04-12 21:44:43 +0900[diff] [blame]78# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
79# /dev/block.
80allow init vd_device:blk_file relabelto;
81
Ryan Savitski52b3d312020-01-14 18:20:06 +0000[diff] [blame]82set_prop(init, init_perf_lsm_hooks_prop)
Inseob Kim212e2b62020-07-14 02:10:37 +0900[diff] [blame]83set_prop(init, vts_status_prop)
Alexander Potapenko3d528172021-03-02 16:46:50 +0100[diff] [blame]84
85# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
86allow init debugfs_bootreceiver_tracing:file w_file_perms;
Andrew Walbrana995e842021-03-29 17:19:12 +0000[diff] [blame]87
Pete Bentleye6da3b82022-09-16 15:31:39 +0100[diff] [blame]88# PRNG seeder daemon socket is created and listened on by init before forking.
89allow init prng_seeder:unix_stream_socket { create bind listen };
90
Kalesh Singhfab8e1c2021-11-04 20:47:29 -0700[diff] [blame]91# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
92# attempt to write a non exisiting 'synthetic_events' file, when setting
93# up synthetic events. This is a no-op in tracefs.
94dontaudit init debugfs_tracing_debug:dir { write add_name };
95
Andrew Walbrana995e842021-03-29 17:19:12 +0000[diff] [blame]96# chown/chmod on devices.
97allow init {
98 dev_type
99 -hw_random_device
100 -keychord_device
Elliot Bermanae5869a2023-03-22 17:31:35 -0700[diff] [blame]101 -vm_manager_device_type
Andrew Walbrana995e842021-03-29 17:19:12 +0000[diff] [blame]102 -port_device
103}:chr_file setattr;
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]104
105# /dev/__null__ node created by init.
106allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
107
108#
109# init direct restorecon calls.
110#
111# /dev/kmsg
112allow init tmpfs:chr_file relabelfrom;
113allow init kmsg_device:chr_file { getattr write relabelto };
114# /dev/kmsg_debug
115userdebug_or_eng(`
116 allow init kmsg_debug_device:chr_file { open write relabelto };
117')
118
119# allow init to mount and unmount debugfs in debug builds
120userdebug_or_eng(`
121 allow init debugfs:dir mounton;
122')
123
124# /dev/__properties__
125allow init properties_device:dir relabelto;
126allow init properties_serial:file { write relabelto };
127allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
128# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
129allow init properties_device:file create_file_perms;
130allow init property_info:file relabelto;
131# /dev/event-log-tags
132allow init device:file relabelfrom;
133allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
134# /dev/socket
135allow init { device socket_device dm_user_device }:dir relabelto;
136# allow init to establish connection and communicate with lmkd
137unix_socket_connect(init, lmkd, lmkd)
138# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
139# and /dev/urandom
140allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
141# /dev/device-mapper, /dev/block(/.*)?
142allow init tmpfs:{ chr_file blk_file } relabelfrom;
143allow init tmpfs:blk_file getattr;
144allow init block_device:{ dir blk_file lnk_file } relabelto;
145allow init dm_device:{ chr_file blk_file } relabelto;
146allow init dm_user_device:chr_file relabelto;
147allow init kernel:fd use;
148# restorecon for early mount device symlinks
149allow init tmpfs:lnk_file { getattr read relabelfrom };
150allow init {
151 metadata_block_device
152 misc_block_device
153 recovery_block_device
154 system_block_device
155 userdata_block_device
156}:{ blk_file lnk_file } relabelto;
157
158allow init dtbo_block_device:lnk_file relabelto;
159allow init super_block_device:lnk_file relabelto;
160
161# Create /mnt/sdcard -> /storage/self/primary symlink.
162allow init mnt_sdcard_file:lnk_file create;
163
164# setrlimit
165allow init self:global_capability_class_set sys_resource;
166
167# Remove /dev/.booting and load /debug_ramdisk/* files
168allow init tmpfs:file { getattr unlink };
169
170# Access pty created for fsck.
171allow init devpts:chr_file { read write open };
172
173# Create /dev/fscklogs files.
174allow init fscklogs:file create_file_perms;
175
176# Access /dev/__null__ node created prior to initial policy load.
177allow init tmpfs:chr_file write;
178
179# Access /dev/console.
180allow init console_device:chr_file rw_file_perms;
181
182# Access /dev/tty0.
183allow init tty_device:chr_file rw_file_perms;
184
185# Call mount(2).
186allow init self:global_capability_class_set sys_admin;
187
188# Call setns(2).
189allow init self:global_capability_class_set sys_chroot;
190
191# Create and mount on directories in /.
192allow init rootfs:dir create_dir_perms;
193allow init {
194 rootfs
195 cache_file
196 cgroup
197 linkerconfig_file
198 storage_file
199 mnt_user_file
200 system_data_file
201 system_data_root_file
202 system_dlkm_file
203 system_file
204 vendor_file
205 postinstall_mnt_dir
206 mirror_data_file
207 shell_data_file
208}:dir mounton;
209
210# Mount bpf fs on sys/fs/bpf
211allow init fs_bpf:dir mounton;
212
213# Mount on /dev/usb-ffs/adb.
214allow init device:dir mounton;
215
216# Mount tmpfs on /apex
217allow init apex_mnt_dir:dir mounton;
218
219# Bind-mount on /system/apex/com.android.art
220allow init art_apex_dir:dir mounton;
221
222# Create and remove symlinks in /.
223allow init rootfs:lnk_file { create unlink };
224
225# Mount debugfs on /sys/kernel/debug.
226allow init sysfs:dir mounton;
227
228# Create cgroups mount points in tmpfs and mount cgroups on them.
229allow init tmpfs:dir create_dir_perms;
230allow init tmpfs:dir mounton;
231allow init cgroup:dir create_dir_perms;
232allow init cgroup:file rw_file_perms;
233allow init cgroup_rc_file:file rw_file_perms;
234allow init cgroup_desc_file:file r_file_perms;
235allow init cgroup_desc_api_file:file r_file_perms;
236allow init vendor_cgroup_desc_file:file r_file_perms;
237allow init cgroup_v2:dir { mounton create_dir_perms};
238allow init cgroup_v2:file rw_file_perms;
239
240# /config
241allow init configfs:dir mounton;
242allow init configfs:dir create_dir_perms;
243allow init configfs:{ file lnk_file } create_file_perms;
244
245# /metadata
246allow init metadata_file:dir mounton;
247
248# Run restorecon on /dev
249allow init tmpfs:dir relabelfrom;
250
251# Create directories under /dev/cpuctl after chowning it to system.
252allow init self:global_capability_class_set { dac_override dac_read_search };
253
254# Set system clock.
255allow init self:global_capability_class_set sys_time;
256
257allow init self:global_capability_class_set { sys_rawio mknod };
258
259# Mounting filesystems from block devices.
260allow init dev_type:blk_file r_file_perms;
261allowxperm init dev_type:blk_file ioctl BLKROSET;
262allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
263
264# Mounting filesystems.
265# Only allow relabelto for types used in context= mount options,
266# which should all be assigned the contextmount_type attribute.
267# This can be done in device-specific policy via type or typeattribute
268# declarations.
269allow init {
270 fs_type
271 enforce_debugfs_restriction(`-debugfs_type')
272}:filesystem ~relabelto;
273
274# Allow init to mount/unmount debugfs in non-user builds.
275enforce_debugfs_restriction(`
276 userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
277')
278
279# Allow init to mount tracefs in /sys/kernel/tracing
280allow init debugfs_tracing_debug:filesystem mount;
281
282allow init unlabeled:filesystem ~relabelto;
283allow init contextmount_type:filesystem relabelto;
284
285# Allow read-only access to context= mounted filesystems.
286allow init contextmount_type:dir r_dir_perms;
287allow init contextmount_type:notdevfile_class_set r_file_perms;
288
289# restorecon /adb_keys or any other rootfs files and directories to a more
290# specific type.
291allow init rootfs:{ dir file } relabelfrom;
292
293# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
294# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
295# system/core/init.rc requires at least cache_file and data_file_type.
296# init.<board>.rc files often include device-specific types, so
297# we just allow all file types except /system files here.
298allow init self:global_capability_class_set { chown fowner fsetid };
299
300allow init {
301 file_type
302 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]303 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
304 -storage_area_dir
305 -storage_area_app_dir
306 -storage_area_content_file
307 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]308 -bpffs_type
309 -exec_type
310 -misc_logd_file
311 -nativetest_data_file
312 -privapp_data_file
313 -system_app_data_file
314 -system_dlkm_file_type
315 -system_file_type
316 -vendor_file_type
317}:dir { create search getattr open read setattr ioctl };
318
319allow init {
320 file_type
321 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]322 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
323 -storage_area_dir
324 -storage_area_app_dir
325 -storage_area_content_file
326 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]327 -bpffs_type
328 -credstore_data_file
329 -exec_type
330 -keystore_data_file
331 -media_userdir_file
332 -misc_logd_file
333 -nativetest_data_file
334 -privapp_data_file
335 -shell_data_file
336 -system_app_data_file
337 -system_dlkm_file_type
338 -system_file_type
339 -system_userdir_file
340 -vendor_file_type
341 -vendor_userdir_file
342 -vold_data_file
343}:dir { write add_name remove_name rmdir relabelfrom };
344
345allow init {
346 file_type
347 -apex_info_file
348 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]349 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
350 -storage_area_dir
351 -storage_area_app_dir
352 -storage_area_content_file
353 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]354 -bpffs_type
355 -exec_type
356 -gsi_data_file
357 -credstore_data_file
358 -keystore_data_file
359 -misc_logd_file
360 -nativetest_data_file
361 -privapp_data_file
362 -runtime_event_log_tags_file
363 -shell_data_file
364 -system_app_data_file
365 -system_dlkm_file_type
366 -system_file_type
367 -vendor_file_type
368 -vold_data_file
369 enforce_debugfs_restriction(`-debugfs_type')
370}:file { create getattr open read write setattr relabelfrom unlink map };
371
372allow init tracefs_type:file { create_file_perms relabelfrom };
373
374# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
375# subcontext for action/service defined in APEXes.
376allow init apex_info_file:file r_file_perms;
377
378allow init {
379 file_type
380 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]381 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
382 -storage_area_dir
383 -storage_area_app_dir
384 -storage_area_content_file
385 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]386 -bpffs_type
387 -exec_type
388 -gsi_data_file
389 -credstore_data_file
390 -keystore_data_file
391 -misc_logd_file
392 -nativetest_data_file
393 -privapp_data_file
394 -shell_data_file
395 -system_app_data_file
396 -system_dlkm_file_type
397 -system_file_type
398 -vendor_file_type
399 -vold_data_file
400}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
401
402allow init {
403 file_type
404 -apex_mnt_dir
405 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]406 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
407 -storage_area_dir
408 -storage_area_app_dir
409 -storage_area_content_file
410 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]411 -bpffs_type
412 -exec_type
413 -gsi_data_file
414 -credstore_data_file
415 -keystore_data_file
416 -misc_logd_file
417 -nativetest_data_file
418 -privapp_data_file
419 -shell_data_file
420 -system_app_data_file
421 -system_dlkm_file_type
422 -system_file_type
423 -vendor_file_type
424 -vold_data_file
425}:lnk_file { create getattr setattr relabelfrom unlink };
426
427allow init cache_file:lnk_file r_file_perms;
428
429allow init {
430 file_type
431 -bpffs_type
432 -system_dlkm_file_type
433 -system_file_type
434 -vendor_file_type
435 -exec_type
436 -app_data_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]437 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
438 -storage_area_dir
439 -storage_area_app_dir
440 -storage_area_content_file
441 ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]442 -privapp_data_file
443}:dir_file_class_set relabelto;
444
445allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
446allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
447allow init dev_type:dir create_dir_perms;
448allow init dev_type:lnk_file create;
449
450# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
451allow init debugfs_tracing:file w_file_perms;
452
453# Setup and control wifi event tracing (see wifi-events.rc)
454allow init debugfs_tracing_instances:dir create_dir_perms;
455allow init debugfs_tracing_instances:file w_file_perms;
456allow init debugfs_wifi_tracing:file w_file_perms;
457
458# chown/chmod on pseudo files.
459allow init {
460 fs_type
461 -bpffs_type
462 -contextmount_type
463 -keychord_device
464 -proc_type
465 -sdcard_type
466 -fusefs_type
467 -sysfs_type
468 -rootfs
469 enforce_debugfs_restriction(`-debugfs_type')
470}:file { open read setattr };
471allow init {
472 fs_type
473 -bpffs_type
474 -contextmount_type
475 -sdcard_type
476 -fusefs_type
477 -rootfs
478}:dir { open read setattr search };
479
480allow init {
481 binder_device
482 console_device
483 devpts
484 dm_device
485 hwbinder_device
486 input_device
487 kmsg_device
488 null_device
489 owntty_device
490 pmsg_device
491 ptmx_device
492 random_device
493 tty_device
494 zero_device
495}:chr_file { read open };
496
497# Unlabeled file access for upgrades from 4.2.
498allow init unlabeled:dir { create_dir_perms relabelfrom };
499allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
500
501# Any operation that can modify the kernel ring buffer, e.g. clear
502# or a read that consumes the messages that were read.
503allow init kernel:system syslog_mod;
504allow init self:global_capability2_class_set syslog;
505
506# init access to /proc.
507r_dir_file(init, proc_net_type)
508allow init proc_filesystems:file r_file_perms;
509
510userdebug_or_eng(`
511 # Overlayfs workdir write access check during mount to permit remount,rw
512 allow init overlayfs_file:dir { relabelfrom mounton write };
513 allow init overlayfs_file:file { append rename };
514 allow init overlayfs_file:chr_file unlink;
515 allow init system_block_device:blk_file { write };
516')
517
518allow init {
519 proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
520 proc_bootconfig
521 proc_cmdline
522 proc_diskstats
523 proc_kmsg # Open /proc/kmsg for logd service.
524 proc_meminfo
525 proc_stat # Read /proc/stat for bootchart.
526 proc_uptime
527 proc_version
528}:file r_file_perms;
529
530allow init {
531 proc_abi
532 proc_cpu_alignment
533 proc_dirty
534 proc_hostname
535 proc_hung_task
536 proc_extra_free_kbytes
537 proc_net_type
538 proc_max_map_count
539 proc_min_free_order_shift
540 proc_overcommit_memory # /proc/sys/vm/overcommit_memory
541 proc_panic
542 proc_page_cluster
543 proc_perf
544 proc_sched
545 proc_sysrq
546 proc_watermark_boost_factor
547}:file w_file_perms;
548
549allow init {
550 proc_security
551}:file rw_file_perms;
552
553# init chmod/chown access to /proc files.
554allow init {
555 proc_cmdline
556 proc_bootconfig
557 proc_kmsg
558 proc_net
559 proc_pagetypeinfo
560 proc_qtaguid_stat
561 proc_slabinfo
562 proc_sysrq
563 proc_qtaguid_ctrl
564 proc_vmallocinfo
565}:file setattr;
566
567# init access to /sys files.
568allow init {
569 sysfs_android_usb
570 sysfs_dm_verity
571 sysfs_leds
572 sysfs_power
573 sysfs_fs_f2fs
574 sysfs_dm
575 sysfs_lru_gen_enabled
576}:file w_file_perms;
577
578allow init {
579 sysfs_dt_firmware_android
580 sysfs_fs_ext4_features
581}:file r_file_perms;
582
583allow init {
584 sysfs_zram
585}:file rw_file_perms;
586
587# allow init to create loop devices with /dev/loop-control
588allow init loop_control_device:chr_file rw_file_perms;
589allow init loop_device:blk_file rw_file_perms;
590allowxperm init loop_device:blk_file ioctl {
591 LOOP_SET_FD
592 LOOP_CLR_FD
593 LOOP_CTL_GET_FREE
594 LOOP_SET_BLOCK_SIZE
595 LOOP_SET_DIRECT_IO
596 LOOP_GET_STATUS
597 LOOP_SET_STATUS64
598};
599
600# Allow init to write to vibrator/trigger
601allow init sysfs_vibrator:file w_file_perms;
602
603# init chmod/chown access to /sys files.
604allow init {
605 sysfs_android_usb
606 sysfs_devices_system_cpu
607 sysfs_ipv4
608 sysfs_leds
609 sysfs_lowmemorykiller
610 sysfs_power
611 sysfs_vibrator
612 sysfs_wake_lock
613 sysfs_zram
614}:file setattr;
615
616# Set usermodehelpers.
617allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
618
619allow init self:global_capability_class_set net_admin;
620
621# Reboot.
622allow init self:global_capability_class_set sys_boot;
623
624# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
625# Init will also walk through the directory as part of a recursive restorecon.
626allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
627allow init misc_logd_file:file { open create getattr setattr write };
628
629# Support "adb shell stop"
630allow init self:global_capability_class_set kill;
631allow init domain:process { getpgid sigkill signal };
632
633# Init creates credstore's directory on boot, and walks through
634# the directory as part of a recursive restorecon.
635allow init credstore_data_file:dir { open create read getattr setattr search };
636allow init credstore_data_file:file { getattr };
637
638# Init creates keystore's directory on boot, and walks through
639# the directory as part of a recursive restorecon.
640allow init keystore_data_file:dir { open create read getattr setattr search };
641allow init keystore_data_file:file { getattr };
642
643# Init creates vold's directory on boot, and walks through
644# the directory as part of a recursive restorecon.
645allow init vold_data_file:dir { open create read getattr setattr search };
646allow init vold_data_file:file { getattr };
647
648# Init creates /data/local/tmp at boot
649allow init shell_data_file:dir { open create read getattr setattr search };
650allow init shell_data_file:file { getattr };
651
652# Set UID, GID, and adjust capability bounding set for services.
653allow init self:global_capability_class_set { setuid setgid setpcap };
654
655# For bootchart to read the /proc/$pid/cmdline file of each process,
656# we need to have following line to allow init to have access
657# to different domains.
658r_dir_file(init, domain)
659
660# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
661# setexec is for services with seclabel options.
662# setfscreate is for labeling directories and socket files.
663# setsockcreate is for labeling local/unix domain sockets.
664allow init self:process { setexec setfscreate setsockcreate };
665
666# Get file context
667allow init file_contexts_file:file r_file_perms;
668
669# sepolicy access
670allow init sepolicy_file:file r_file_perms;
671
672# Perform SELinux access checks on setting properties.
673selinux_check_access(init)
674
675# Ask the kernel for the new context on services to label their sockets.
676allow init kernel:security compute_create;
677
678# Create sockets for the services.
679allow init domain:unix_stream_socket { create bind setopt };
680allow init domain:unix_dgram_socket { create bind setopt };
681
682# Create /data/property and files within it.
683allow init property_data_file:dir create_dir_perms;
684allow init property_data_file:file create_file_perms;
685
686# Set any property.
687allow init property_type:property_service set;
688
689# Send an SELinux userspace denial to the kernel audit subsystem,
690# so it can be picked up and processed by logd. These denials are
691# generated when an attempt to set a property is denied by policy.
692allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
693allow init self:global_capability_class_set audit_write;
694
695# Run "ifup lo" to bring up the localhost interface
696allow init self:udp_socket { create ioctl };
697# in addition to unpriv ioctls granted to all domains, init also needs:
698allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
699allow init self:global_capability_class_set net_raw;
700
701# Set scheduling info for psi monitor thread.
702# TODO: delete or revise this line b/131761776
703allow init kernel:process { getsched setsched };
704
705# swapon() needs write access to swap device
706# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
707allow init swap_block_device:blk_file rw_file_perms;
708
709# Create and access /dev files without a specific type,
710# e.g. /dev/.coldboot_done, /dev/.booting
711# TODO: Move these files into their own type unless they are
712# only ever accessed by init.
713allow init device:file create_file_perms;
714
715# keychord retrieval from /dev/input/ devices
716allow init input_device:dir r_dir_perms;
717allow init input_device:chr_file rw_file_perms;
718
719# Access device mapper for setting up dm-verity
720allow init dm_device:chr_file rw_file_perms;
721allow init dm_device:blk_file rw_file_perms;
722
723# Access dm-user for OTA boot
724allow init dm_user_device:chr_file rw_file_perms;
725
726# Access metadata block device for storing dm-verity state
727allow init metadata_block_device:blk_file rw_file_perms;
728
729# Read /sys/fs/pstore/console-ramoops to detect restarts caused
730# by dm-verity detecting corrupted blocks
731allow init pstorefs:dir search;
732allow init pstorefs:file r_file_perms;
733allow init kernel:system syslog_read;
734
735# linux keyring configuration
736allow init init:key { write search setattr };
737
738# Allow init to create /data/unencrypted
739allow init unencrypted_data_file:dir create_dir_perms;
740
741# Set encryption policy on dirs in /data
742allowxperm init { data_file_type unlabeled }:dir ioctl {
743 FS_IOC_GET_ENCRYPTION_POLICY
744 FS_IOC_SET_ENCRYPTION_POLICY
745};
746
747# Raw writes to misc block device
748allow init misc_block_device:blk_file w_file_perms;
749
750r_dir_file(init, system_file)
751r_dir_file(init, system_dlkm_file_type)
752r_dir_file(init, vendor_file_type)
753
754allow init system_data_file:file { getattr read };
755allow init system_data_file:lnk_file r_file_perms;
756
757# For init to be able to run shell scripts from vendor
758allow init vendor_shell_exec:file execute;
759
760# Metadata setup
761allow init vold_metadata_file:dir create_dir_perms;
762allow init vold_metadata_file:file getattr;
763allow init metadata_bootstat_file:dir create_dir_perms;
764allow init metadata_bootstat_file:file w_file_perms;
765allow init userspace_reboot_metadata_file:file w_file_perms;
766
767# Allow init to touch PSI monitors
768allow init proc_pressure_mem:file { rw_file_perms setattr };
769
770# init is using bootstrap bionic
771use_bootstrap_libs(init)
772
773# stat the root dir of fuse filesystems (for the mount handler)
774allow init fuse:dir { search getattr };
775
776# allow filesystem tuning
777allow init userdata_sysdev:file create_file_perms;
778
779# allow disk tuning
780allow init rootdisk_sysdev:file create_file_perms;
781
782###
783### neverallow rules
784###
785
786# The init domain is only entered via an exec based transition from the
787# kernel domain, never via setcon().
788neverallow domain init:process dyntransition;
789neverallow { domain -kernel } init:process transition;
790neverallow init { file_type fs_type -init_exec }:file entrypoint;
791
792# Never read/follow symlinks created by shell or untrusted apps.
793neverallow init shell_data_file:lnk_file read;
794neverallow init app_data_file_type:lnk_file read;
795
796# init should never execute a program without changing to another domain.
797neverallow init { file_type fs_type }:file execute_no_trans;
798
799# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
800# when init is executing other binaries. The use of LD_PRELOAD for init spawned
801# services is generally considered a no-no, as it injects libraries which the
802# binary was not expecting. This is especially problematic for APEXes. The use
803# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
804# code into a process which wasn't expecting that code, with potentially
805# unexpected side effects. (b/140789528)
806neverallow init *:process noatsecure;
807
808# init can never add binder services
809neverallow init service_manager_type:service_manager { add find };
810# init can never list binder services
811neverallow init servicemanager:service_manager list;
812
813# Init should not be creating subdirectories in /data/local/tmp
814neverallow init shell_data_file:dir { write add_name remove_name };
815
816# Init should not access sysfs node that are not explicitly labeled.
817neverallow init sysfs:file { open write };
818
819# No domain should be allowed to ptrace init.
820neverallow * init:process ptrace;
821
822# init owns the root of /data
823# TODO(b/140259336) We want to remove vendor_init
824# TODO(b/141108496) We want to remove toolbox
825neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
826
827# Only init is allowed to set userspace reboot related properties.
828neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
829
830neverallow init self:perf_event { kernel tracepoint read write };
831dontaudit init self:perf_event { kernel tracepoint read write };
832
833# Only init is allowed to set the sysprop indicating whether perf_event_open()
834# SELinux hooks were detected.
835neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
836
837# Only init can write vts.native_server.on
838neverallow { domain -init } vts_status_prop:property_service set;
839
840# Only init can write normal ro.boot. properties
841neverallow { domain -init } bootloader_prop:property_service set;
842
843# Only init can write hal.instrumentation.enable
844neverallow { domain -init } hal_instrumentation_prop:property_service set;
845
846# Only init can write ro.property_service.version
847neverallow { domain -init } property_service_version_prop:property_service set;
848
849# Only init can set keystore.boot_level
850neverallow { domain -init } keystore_listen_prop:property_service set;