| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute init coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | tmpfs_domain(init) |
| 4 | |
| 5 | # Transitions to seclabel processes in init.rc |
| Sandeep Patil | 137a13d | 2016-12-15 12:36:45 -0800 | [diff] [blame] | 6 | domain_trans(init, rootfs, healthd) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 7 | domain_trans(init, rootfs, slideshow) |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 8 | domain_auto_trans(init, charger_exec, charger) |
| Jin Qian | 4de505b | 2017-05-02 13:45:08 -0700 | [diff] [blame] | 9 | domain_auto_trans(init, e2fs_exec, e2fs) |
| Joel Fernandes | 147cf64 | 2018-11-29 13:07:40 -0800 | [diff] [blame] | 10 | domain_auto_trans(init, bpfloader_exec, bpfloader) |
| 11 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 12 | recovery_only(` |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 13 | # Files in recovery image are labeled as rootfs. |
| Bowgo Tsai | 5846c79 | 2017-07-31 18:38:28 +0800 | [diff] [blame] | 14 | domain_trans(init, rootfs, adbd) |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 15 | domain_trans(init, rootfs, charger) |
| Jerry Zhang | 1d85efa | 2018-05-29 10:54:16 -0700 | [diff] [blame] | 16 | domain_trans(init, rootfs, fastbootd) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 17 | domain_trans(init, rootfs, recovery) |
| Kiyoung Kim | 2c271aa | 2019-12-09 14:57:46 +0900 | [diff] [blame] | 18 | domain_trans(init, rootfs, linkerconfig) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 19 | ') |
| 20 | domain_trans(init, shell_exec, shell) |
| 21 | domain_trans(init, init_exec, ueventd) |
| Tom Cherry | 621c24c | 2017-09-28 14:34:36 -0700 | [diff] [blame] | 22 | domain_trans(init, init_exec, vendor_init) |
| Sandeep Patil | e41af20 | 2017-06-02 16:09:26 -0700 | [diff] [blame] | 23 | domain_trans(init, { rootfs toolbox_exec }, modprobe) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 24 | userdebug_or_eng(` |
| Tom Cherry | 938ab05 | 2018-08-03 10:49:20 -0700 | [diff] [blame] | 25 | # case where logpersistd is actually logcat -f in logd context (nee: logcatd) |
| Mark Salyzyn | da62cb4 | 2016-08-10 11:10:02 -0700 | [diff] [blame] | 26 | domain_auto_trans(init, logcat_exec, logpersist) |
| Tom Cherry | 938ab05 | 2018-08-03 10:49:20 -0700 | [diff] [blame] | 27 | |
| 28 | # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng |
| 29 | allow init su:process transition; |
| 30 | dontaudit init su:process noatsecure; |
| 31 | allow init su:process { siginh rlimitinh }; |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 32 | ') |
| Branden Archer | d36b1d5 | 2018-11-27 15:47:12 -0800 | [diff] [blame] | 33 | |
| Nikita Ioffe | 23ba976 | 2019-12-09 21:21:55 +0000 | [diff] [blame] | 34 | # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. |
| 35 | # This is useful in case of remounting ext4 userdata into checkpointing mode, |
| 36 | # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) |
| 37 | # that userdata is mounted onto. |
| 38 | allow init sysfs_dm:file read; |
| 39 | |
| Branden Archer | d36b1d5 | 2018-11-27 15:47:12 -0800 | [diff] [blame] | 40 | # Allow the BoringSSL self test to request a reboot upon failure |
| 41 | set_prop(init, powerctl_prop) |
| Nikita Ioffe | 7065e46 | 2019-11-14 12:59:15 +0000 | [diff] [blame] | 42 | |
| 43 | # Only init is allowed to set userspace reboot related properties. |
| 44 | set_prop(init, userspace_reboot_prop) |
| 45 | set_prop(init, userspace_reboot_exported_prop) |
| 46 | neverallow { domain -init } userspace_reboot_prop:property_service set; |
| 47 | neverallow { domain -init } userspace_reboot_exported_prop:property_service set; |