private/init.te

typeattribute init coredomain;

tmpfs_domain(init)

# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)

recovery_only(`
  # Files in recovery image are labeled as rootfs.
  domain_trans(init, rootfs, adbd)
  domain_trans(init, rootfs, hal_bootctl_server)
  domain_trans(init, rootfs, charger)
  domain_trans(init, rootfs, fastbootd)
  domain_trans(init, rootfs, hal_fastboot_server)
  domain_trans(init, rootfs, hal_health_server)
  domain_trans(init, rootfs, recovery)
  domain_trans(init, rootfs, linkerconfig)
  domain_trans(init, rootfs, servicemanager)
  domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
userdebug_or_eng(`
  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
  domain_auto_trans(init, logcat_exec, logpersist)

  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
  allow init su:process transition;
  dontaudit init su:process noatsecure;
  allow init su:process { siginh rlimitinh };
')

# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
# that userdata is mounted onto.
allow init sysfs_dm:file read;

# Allow init to modify the properties of loop devices.
allow init sysfs_loop:dir r_dir_perms;
allow init sysfs_loop:file rw_file_perms;

# Allow init to examine the properties of block devices.
allow init sysfs_type:file { getattr read };
# Allow init get the attributes of block devices in /dev/block.
allow init dev_type:dir r_dir_perms;
allow init dev_type:blk_file getattr;

# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;

# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)

set_prop(init, userspace_reboot_exported_prop)

# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
# TODO(b/137092007): this can be removed once the platform stops supporting
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;

# Allow opening /proc/kallsyms so that on boot, init can create and retain an
# fd with the full address visibility (which is evaluated on open and persists
# for the lifetime of the open file description). This fd can then be shared
# with other privileged processes.
allow init proc_kallsyms:file r_file_perms;

# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
allow init snapuserd:unix_stream_socket connectto;
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;

# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;

set_prop(init, init_perf_lsm_hooks_prop)
set_prop(init, vts_status_prop)

# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)

# Allow init to set/get prefetch boot prop to initiate record/replay
set_prop(init, ctl_prefetch_prop);

# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;

# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };

# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
dontaudit init debugfs_tracing_debug:dir { write add_name };

# chown/chmod on devices.
allow init {
  dev_type
  -hw_random_device
  -keychord_device
  -vm_manager_device_type
  -port_device
}:chr_file setattr;

# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };

#
# init direct restorecon calls.
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
  allow init kmsg_debug_device:chr_file { open write relabelto };
')
# /mnt/vm, also permissions to mkdir / mount / chmod / chown
allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };

# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
  allow init debugfs:dir mounton;
')

# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
# and /dev/urandom
allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
  metadata_block_device
  misc_block_device
  recovery_block_device
  system_block_device
  userdata_block_device
}:{ blk_file lnk_file } relabelto;

allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;

# Create /mnt/sdcard -> /storage/self/primary symlink.
allow init mnt_sdcard_file:lnk_file create;

# setrlimit
allow init self:global_capability_class_set sys_resource;

# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };

# Access pty created for fsck.
allow init devpts:chr_file { read write open };

# Create /dev/fscklogs files.
allow init fscklogs:file create_file_perms;

# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;

# Access /dev/console.
allow init console_device:chr_file rw_file_perms;

# Access /dev/tty0.
allow init tty_device:chr_file rw_file_perms;

# Call mount(2).
allow init self:global_capability_class_set sys_admin;

# Call setns(2).
allow init self:global_capability_class_set sys_chroot;

# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init {
    rootfs
    cache_file
    cgroup
    linkerconfig_file
    storage_file
    mnt_user_file
    system_data_file
    system_data_root_file
    system_dlkm_file
    system_file
    vendor_file
    postinstall_mnt_dir
    mirror_data_file
    shell_data_file
}:dir mounton;

# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;

# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;

# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;

# Bind-mount on /system/apex/com.android.art
allow init art_apex_dir:dir mounton;

# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };

# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;

# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;

# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;

# /metadata
allow init metadata_file:dir mounton;

# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;

# Create directories under /dev/cpuctl after chowning it to system.
allow init self:global_capability_class_set { dac_override dac_read_search };

# Set system clock.
allow init self:global_capability_class_set sys_time;

allow init self:global_capability_class_set { sys_rawio mknod };

# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;

# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init {
  fs_type
  enforce_debugfs_restriction(`-debugfs_type')
}:filesystem ~relabelto;

# Allow init to mount/unmount debugfs in non-user builds.
enforce_debugfs_restriction(`
  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
')

# Allow init to mount tracefs in /sys/kernel/tracing
allow init debugfs_tracing_debug:filesystem mount;

allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;

# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;

# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;

# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:global_capability_class_set { chown fowner fsetid };

allow init {
  file_type
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -bpffs_type
  -exec_type
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -system_app_data_file
  -system_dlkm_file_type
  -system_file_type
  -vendor_file_type
}:dir { create search getattr open read setattr ioctl };

allow init {
  file_type
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -bpffs_type
  -credstore_data_file
  -exec_type
  -keystore_data_file
  -media_userdir_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_dlkm_file_type
  -system_file_type
  -system_userdir_file
  -vendor_file_type
  -vendor_userdir_file
  -vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };

allow init {
  file_type
  -apex_info_file
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -bpffs_type
  -exec_type
  -gsi_data_file
  -credstore_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -runtime_event_log_tags_file
  -shell_data_file
  -system_app_data_file
  -system_dlkm_file_type
  -system_file_type
  -vendor_file_type
  -vold_data_file
  enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };

allow init tracefs_type:file { create_file_perms relabelfrom };

# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
# subcontext for action/service defined in APEXes.
allow init apex_info_file:file r_file_perms;

allow init {
  file_type
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -bpffs_type
  -exec_type
  -gsi_data_file
  -credstore_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_dlkm_file_type
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

allow init {
  file_type
  -apex_mnt_dir
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -bpffs_type
  -exec_type
  -gsi_data_file
  -credstore_data_file
  -keystore_data_file
  -misc_logd_file
  -nativetest_data_file
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
  -system_dlkm_file_type
  -system_file_type
  -vendor_file_type
  -vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };

allow init cache_file:lnk_file r_file_perms;

allow init {
  file_type
  -bpffs_type
  -system_dlkm_file_type
  -system_file_type
  -vendor_file_type
  -exec_type
  -app_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
    -storage_area_dir
    -storage_area_app_dir
    -storage_area_content_file
  ')
  -vm_data_file
  -privapp_data_file
}:dir_file_class_set relabelto;

allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;

# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;

# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;
allow init debugfs_tracing_instances:file w_file_perms;
allow init debugfs_wifi_tracing:file w_file_perms;
allow init debugfs_wifi_tracing:dir create_dir_perms;

# chown/chmod on pseudo files.
allow init {
  fs_type
  -bpffs_type
  -contextmount_type
  -keychord_device
  -proc_type
  -sdcard_type
  -fusefs_type
  -sysfs_type
  -rootfs
  enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init {
  fs_type
  -bpffs_type
  -contextmount_type
  -sdcard_type
  -fusefs_type
  -rootfs
}:dir { open read setattr search };

allow init {
  binder_device
  console_device
  devpts
  dm_device
  hwbinder_device
  input_device
  kmsg_device
  null_device
  owntty_device
  pmsg_device
  ptmx_device
  random_device
  tty_device
  zero_device
}:chr_file { read open };

# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };

# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:global_capability2_class_set syslog;

# init access to /proc.
r_dir_file(init, proc_net_type)
allow init proc_filesystems:file r_file_perms;

userdebug_or_eng(`
  # Overlayfs workdir write access check during mount to permit remount,rw
  allow init overlayfs_file:dir { relabelfrom mounton write };
  allow init overlayfs_file:file { append rename };
  allow init overlayfs_file:chr_file unlink;
  allow init system_block_device:blk_file { write };
')

allow init {
  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
  proc_bootconfig
  proc_cmdline
  proc_diskstats
  proc_kmsg # Open /proc/kmsg for logd service.
  proc_meminfo
  proc_stat # Read /proc/stat for bootchart.
  proc_uptime
  proc_version
}:file r_file_perms;

allow init {
  proc_abi
  proc_cpu_alignment
  proc_dirty
  proc_hostname
  proc_hung_task
  proc_extra_free_kbytes
  proc_net_type
  proc_max_map_count
  proc_min_free_order_shift
  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
  proc_panic
  proc_page_cluster
  proc_perf
  proc_sched
  proc_sysrq
  proc_watermark_boost_factor
}:file w_file_perms;

allow init {
  proc_security
}:file rw_file_perms;

# init chmod/chown access to /proc files.
allow init {
  proc_cmdline
  proc_bootconfig
  proc_kmsg
  proc_net
  proc_pagetypeinfo
  proc_qtaguid_stat
  proc_slabinfo
  proc_sysrq
  proc_qtaguid_ctrl
  proc_vmallocinfo
}:file setattr;

# init access to /sys files.
allow init {
  sysfs_android_usb
  sysfs_dm_verity
  sysfs_leds
  sysfs_power
  sysfs_fs_f2fs
  sysfs_dm
  sysfs_lru_gen_enabled
  sysfs_pgsize_migration
}:file w_file_perms;

allow init {
  sysfs_dt_firmware_android
  sysfs_fs_ext4_features
}:file r_file_perms;

allow init {
  sysfs_zram
}:file rw_file_perms;

# allow init to create loop devices with /dev/loop-control
allow init loop_control_device:chr_file rw_file_perms;
allow init loop_device:blk_file rw_file_perms;
allowxperm init loop_device:blk_file ioctl {
  LOOP_SET_FD
  LOOP_CLR_FD
  LOOP_CTL_GET_FREE
  LOOP_SET_BLOCK_SIZE
  LOOP_SET_DIRECT_IO
  LOOP_GET_STATUS
  LOOP_SET_STATUS64
};

# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;

# init chmod/chown access to /sys files.
allow init {
  sysfs_android_usb
  sysfs_devices_system_cpu
  sysfs_firmware_acpi_tables
  sysfs_ipv4
  sysfs_leds
  sysfs_lowmemorykiller
  sysfs_power
  sysfs_vibrator
  sysfs_wake_lock
  sysfs_zram
}:file setattr;

# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;

allow init self:global_capability_class_set net_admin;

# Reboot.
allow init self:global_capability_class_set sys_boot;

# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
allow init misc_logd_file:file { open create getattr setattr write };

# Support "adb shell stop"
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };

# Init creates credstore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init credstore_data_file:dir { open create read getattr setattr search };
allow init credstore_data_file:file { getattr };

# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };

# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };

# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };

# Set UID, GID, and adjust capability bounding set for services.
allow init self:global_capability_class_set { setuid setgid setpcap };

# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
r_dir_file(init, domain)

# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };

# Get file context
allow init file_contexts_file:file r_file_perms;

# sepolicy access
allow init sepolicy_file:file r_file_perms;

# Perform SELinux access checks on setting properties.
selinux_check_access(init)

# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;

# Create sockets for the services.
allow init domain:unix_stream_socket { create bind setopt };
allow init domain:unix_dgram_socket { create bind setopt };

# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;

# Set any property.
allow init property_type:property_service set;

# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:global_capability_class_set audit_write;

# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:global_capability_class_set net_raw;

# Set scheduling info for psi monitor thread.
# TODO: delete or revise this line b/131761776
allow init kernel:process { getsched setsched };

# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;

# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO:  Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;

# keychord retrieval from /dev/input/ devices
allow init input_device:dir r_dir_perms;
allow init input_device:chr_file rw_file_perms;

# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;

# Access dm-user for OTA boot
allow init dm_user_device:chr_file rw_file_perms;

# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;

# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
allow init kernel:system syslog_read;

# linux keyring configuration
allow init init:key { write search setattr };

# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;

# Set encryption policy on dirs in /data
allowxperm init { data_file_type unlabeled }:dir ioctl {
  FS_IOC_GET_ENCRYPTION_POLICY
  FS_IOC_SET_ENCRYPTION_POLICY
};

# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;

r_dir_file(init, system_file)
r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type)

allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;

# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;

# Metadata setup
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
allow init userspace_reboot_metadata_file:file w_file_perms;

# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };

# init is using bootstrap bionic
use_bootstrap_libs(init)

# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };

# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;

# allow disk tuning
allow init rootdisk_sysdev:file create_file_perms;

###
### neverallow rules
###

# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;

# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init app_data_file_type:lnk_file read;

# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;

# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
# when init is executing other binaries. The use of LD_PRELOAD for init spawned
# services is generally considered a no-no, as it injects libraries which the
# binary was not expecting. This is especially problematic for APEXes. The use
# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
# code into a process which wasn't expecting that code, with potentially
# unexpected side effects. (b/140789528)
neverallow init *:process noatsecure;

# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
neverallow init servicemanager:service_manager list;

# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };

# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open write };

# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;

# init owns the root of /data
# TODO(b/140259336) We want to remove vendor_init
# TODO(b/141108496) We want to remove toolbox
neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };

# Only init is allowed to set userspace reboot related properties.
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;

neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };

# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;

# Only init can write vts.native_server.on
neverallow { domain -init } vts_status_prop:property_service set;

# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;

# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;

# Only init can write ro.property_service.version
neverallow { domain -init } property_service_version_prop:property_service set;

# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;