Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / be66c59171d31446274ac3db43397f50480501db / . / microdroid / system / private / init.te
blob: ff75f75b5b9bf70f1f308a4085c64c3080f5ebf4 [file] [log] [blame]
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]1typeattribute init coredomain;
2
3tmpfs_domain(init)
4
5domain_trans(init, shell_exec, shell)
6domain_trans(init, init_exec, ueventd)
7domain_trans(init, init_exec, vendor_init)
8
9# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
10# This is useful in case of remounting ext4 userdata into checkpointing mode,
11# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
12# that userdata is mounted onto.
13allow init sysfs_dm:file read;
14
15# Second-stage init performs a test for whether the kernel has SELinux hooks
16# for the perf_event_open() syscall. This is done by testing for the syscall
17# outcomes corresponding to this policy.
18allow init self:perf_event { open cpu };
19allow init self:global_capability2_class_set perfmon;
20dontaudit init self:perf_event { kernel tracepoint read write };
21
22# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
23# /dev/block.
24allow init vd_device:blk_file relabelto;
25
26# chown/chmod on devices.
27allow init {
28 dev_type
29 -hw_random_device
30 -kvm_device
31}:chr_file setattr;
32
33# /dev/__null__ node created by init.
34allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
35
36# /dev/__properties__
37allow init properties_device:dir relabelto;
38allow init properties_serial:file { write relabelto };
39allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
40# /dev/__properties__/property_info
41allow init properties_device:file create_file_perms;
42allow init property_info:file relabelto;
43# /dev/event-log-tags
44allow init device:file relabelfrom;
45allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
46# /dev/socket
47allow init { device socket_device dm_user_device }:dir relabelto;
48# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
49allow init { null_device ptmx_device random_device } : chr_file relabelto;
50# /dev/device-mapper, /dev/block(/.*)?
51allow init tmpfs:{ chr_file blk_file } relabelfrom;
52allow init tmpfs:blk_file getattr;
53allow init block_device:{ dir blk_file lnk_file } relabelto;
54allow init dm_device:{ chr_file blk_file } relabelto;
55allow init dm_user_device:chr_file relabelto;
56allow init kernel:fd use;
57# restorecon for early mount device symlinks
58allow init tmpfs:lnk_file { getattr read relabelfrom };
59
60# setrlimit
61allow init self:global_capability_class_set sys_resource;
62
63# Remove /dev/.booting and load /debug_ramdisk/* files
64allow init tmpfs:file { getattr unlink };
65
66# Access pty created for fsck.
67allow init devpts:chr_file { read write open };
68
69# Access /dev/__null__ node created prior to initial policy load.
70allow init tmpfs:chr_file write;
71
72# Access /dev/console.
73allow init console_device:chr_file rw_file_perms;
74
75# Access /dev/tty0.
76allow init tty_device:chr_file rw_file_perms;
77
78# Call mount(2).
79allow init self:global_capability_class_set sys_admin;
80
81# Call setns(2).
82allow init self:global_capability_class_set sys_chroot;
83
84# Create and mount on directories in /.
85allow init rootfs:dir create_dir_perms;
86allow init {
87 rootfs
88 cgroup
89 linkerconfig_file
90 system_data_file
91 system_data_root_file
92 system_file
93 vendor_file
94}:dir mounton;
95
96# Mount bpf fs on sys/fs/bpf
97allow init fs_bpf:dir mounton;
98
99# Mount on /dev/usb-ffs/adb.
100allow init device:dir mounton;
101
102# Mount tmpfs on /apex
103allow init apex_mnt_dir:dir mounton;
104
105# Create and remove symlinks in /.
106allow init rootfs:lnk_file { create unlink };
107
108# Mount debugfs on /sys/kernel/debug.
109allow init sysfs:dir mounton;
110
111# Create cgroups mount points in tmpfs and mount cgroups on them.
112allow init tmpfs:dir create_dir_perms;
113allow init tmpfs:dir mounton;
114allow init cgroup:dir create_dir_perms;
115allow init cgroup:file rw_file_perms;
116allow init cgroup_rc_file:file rw_file_perms;
117allow init cgroup_desc_file:file r_file_perms;
118allow init cgroup_desc_api_file:file r_file_perms;
119allow init cgroup_v2:dir { mounton create_dir_perms};
120allow init cgroup_v2:file rw_file_perms;
121
122# Use tmpfs as /data, used for booting when /data is encrypted
123allow init tmpfs:dir relabelfrom;
124
125# Create directories under /dev/cpuctl after chowning it to system.
126allow init self:global_capability_class_set { dac_override dac_read_search };
127
128allow init self:global_capability_class_set { sys_rawio mknod };
129
130# Mounting filesystems from block devices.
131allow init dev_type:blk_file r_file_perms;
132allowxperm init dev_type:blk_file ioctl BLKROSET;
133
134# Mounting filesystems.
135# Only allow relabelto for types used in context= mount options,
136# which should all be assigned the contextmount_type attribute.
137# This can be done in device-specific policy via type or typeattribute
138# declarations.
139allow init {
140 fs_type
141}:filesystem ~relabelto;
142
143# Allow init to mount tracefs in /sys/kernel/tracing
144allow init debugfs_tracing_debug:filesystem mount;
145
146allow init unlabeled:filesystem ~relabelto;
147allow init contextmount_type:filesystem relabelto;
148
149# Allow read-only access to context= mounted filesystems.
150allow init contextmount_type:dir r_dir_perms;
151allow init contextmount_type:notdevfile_class_set r_file_perms;
152
153# restorecon /adb_keys or any other rootfs files and directories to a more
154# specific type.
155allow init rootfs:{ dir file } relabelfrom;
156
157# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
158# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
159# system/core/init.rc requires at least cache_file and data_file_type.
160# init.<board>.rc files often include device-specific types, so
161# we just allow all file types except /system files here.
162allow init self:global_capability_class_set { chown fowner fsetid };
163
164allow init {
165 file_type
166 -exec_type
167 -system_file_type
168 -vendor_file_type
169}:dir { create search getattr open read setattr ioctl };
170
171allow init {
172 file_type
173 -exec_type
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]174 -shell_data_file
175 -system_file_type
176 -vendor_file_type
177}:dir { write add_name remove_name rmdir relabelfrom };
178
179allow init {
180 file_type
181 -apex_info_file
182 -exec_type
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]183 -runtime_event_log_tags_file
184 -shell_data_file
185 -system_file_type
186 -vendor_file_type
187}:file { create getattr open read write setattr relabelfrom unlink map };
188
189allow init tracefs_type:file { create_file_perms relabelfrom };
190
191allow init {
192 file_type
193 -exec_type
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]194 -shell_data_file
195 -system_file_type
196 -vendor_file_type
197}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
198
199allow init {
200 file_type
201 -apex_mnt_dir
202 -exec_type
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]203 -shell_data_file
204 -system_file_type
205 -vendor_file_type
206}:lnk_file { create getattr setattr relabelfrom unlink };
207
208allow init {
209 file_type
210 -system_file_type
211 -vendor_file_type
212 -exec_type
213}:dir_file_class_set relabelto;
214
215allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
216allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
217allow init dev_type:dir create_dir_perms;
218allow init dev_type:lnk_file create;
219
220# chown/chmod on pseudo files.
221allow init {
222 fs_type
223 -contextmount_type
224 -proc_type
225 -fusefs_type
226 -sysfs_type
227 -rootfs
228}:file { open read setattr };
229allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
230
231allow init {
232 binder_device
233 console_device
234 devpts
235 dm_device
236 hwbinder_device
237 kmsg_device
238 null_device
239 owntty_device
240 ptmx_device
241 random_device
242 tty_device
243 zero_device
244}:chr_file { read open };
245
246# Any operation that can modify the kernel ring buffer, e.g. clear
247# or a read that consumes the messages that were read.
248allow init kernel:system syslog_mod;
249allow init self:global_capability2_class_set syslog;
250
251# init access to /proc.
252r_dir_file(init, proc_net_type)
253allow init proc_filesystems:file r_file_perms;
254
255allow init {
256 proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
257 proc_bootconfig
258 proc_cmdline
259 proc_diskstats
260 proc_kmsg # Open /proc/kmsg for logd service.
261 proc_meminfo
262 proc_stat # Read /proc/stat for bootchart.
263 proc_uptime
264 proc_version
265}:file r_file_perms;
266
267allow init {
268 proc_abi
269 proc_dirty
270 proc_hostname
271 proc_hung_task
272 proc_extra_free_kbytes
273 proc_net_type
274 proc_max_map_count
275 proc_min_free_order_shift
276 proc_overcommit_memory # /proc/sys/vm/overcommit_memory
277 proc_panic
278 proc_page_cluster
279 proc_perf
280 proc_sched
281 proc_sysrq
282}:file w_file_perms;
283
284allow init {
285 proc_security
286}:file rw_file_perms;
287
288# init chmod/chown access to /proc files.
289allow init {
290 proc_cmdline
291 proc_bootconfig
292 proc_kmsg
293 proc_net
294 proc_pagetypeinfo
295 proc_qtaguid_stat
296 proc_slabinfo
297 proc_sysrq
298 proc_qtaguid_ctrl
299 proc_vmallocinfo
300}:file setattr;
301
302# init access to /sys files.
303allow init {
304 sysfs_android_usb
305 sysfs_dm_verity
306 sysfs_leds
307 sysfs_power
308 sysfs_fs_f2fs
309 sysfs_dm
310}:file w_file_perms;
311
312allow init {
313 sysfs_dt_firmware_android
314 sysfs_fs_ext4_features
315}:file r_file_perms;
316
317allow init {
318 sysfs_zram
319}:file rw_file_perms;
320
321# allow init to create loop devices with /dev/loop-control
322allow init loop_control_device:chr_file rw_file_perms;
323allow init loop_device:blk_file rw_file_perms;
324allowxperm init loop_device:blk_file ioctl {
325 LOOP_SET_FD
326 LOOP_CLR_FD
327 LOOP_CTL_GET_FREE
328 LOOP_SET_BLOCK_SIZE
329 LOOP_SET_DIRECT_IO
330 LOOP_GET_STATUS
331};
332
333# init chmod/chown access to /sys files.
334allow init {
335 sysfs_android_usb
336 sysfs_devices_system_cpu
337 sysfs_ipv4
338 sysfs_leds
339 sysfs_lowmemorykiller
340 sysfs_power
341 sysfs_vibrator
342 sysfs_wake_lock
343 sysfs_zram
344}:file setattr;
345
346allow init self:global_capability_class_set net_admin;
347
348# Reboot.
349allow init self:global_capability_class_set sys_boot;
350
351# Support "adb shell stop"
352allow init self:global_capability_class_set kill;
353allow init domain:process { getpgid sigkill signal };
354
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]355# Init creates /data/local/tmp at boot
356allow init shell_data_file:dir { open create read getattr setattr search };
357allow init shell_data_file:file { getattr };
358
359# Set UID, GID, and adjust capability bounding set for services.
360allow init self:global_capability_class_set { setuid setgid setpcap };
361
362# For bootchart to read the /proc/$pid/cmdline file of each process,
363# we need to have following line to allow init to have access
364# to different domains.
365r_dir_file(init, domain)
366
367# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
368# setexec is for services with seclabel options.
369# setfscreate is for labeling directories and socket files.
370# setsockcreate is for labeling local/unix domain sockets.
371allow init self:process { setexec setfscreate setsockcreate };
372
373# Get file context
374allow init file_contexts_file:file r_file_perms;
375
376# sepolicy access
377allow init sepolicy_file:file r_file_perms;
378
379# Perform SELinux access checks on setting properties.
380selinux_check_access(init)
381
382# Ask the kernel for the new context on services to label their sockets.
383allow init kernel:security compute_create;
384
385# Create sockets for the services.
386allow init domain:unix_stream_socket { create bind setopt };
387allow init domain:unix_dgram_socket { create bind setopt };
388
389# Set any property.
390allow init property_type:property_service set;
391
392# Send an SELinux userspace denial to the kernel audit subsystem,
393# so it can be picked up and processed by logd. These denials are
394# generated when an attempt to set a property is denied by policy.
395allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
396allow init self:global_capability_class_set audit_write;
397
398# Run "ifup lo" to bring up the localhost interface
399allow init self:udp_socket { create ioctl };
400# in addition to unpriv ioctls granted to all domains, init also needs:
401allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
402allow init self:global_capability_class_set net_raw;
403
404# Set scheduling info for psi monitor thread.
405# TODO: delete or revise this line b/131761776
406allow init kernel:process { getsched setsched };
407
408# Create and access /dev files without a specific type,
409# e.g. /dev/.coldboot_done, /dev/.booting
410# TODO: Move these files into their own type unless they are
411# only ever accessed by init.
412allow init device:file create_file_perms;
413
414# Access device mapper for setting up dm-verity
415allow init dm_device:chr_file rw_file_perms;
416allow init dm_device:blk_file rw_file_perms;
417
418# linux keyring configuration
419allow init init:key { write search setattr };
420
421r_dir_file(init, system_file)
422r_dir_file(init, vendor_file_type)
423
424allow init system_data_file:file { getattr read };
425allow init system_data_file:lnk_file r_file_perms;
426
427# Allow init to touch PSI monitors
428allow init proc_pressure_mem:file { rw_file_perms setattr };
429
430# init is using bootstrap bionic
Jiyong Park16c1ae32022-01-23 23:55:41 +0900[diff] [blame]431use_bootstrap_libs(init)
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]432
433# stat the root dir of fuse filesystems (for the mount handler)
434allow init fuse:dir { search getattr };
435
436set_prop(init, property_type)