| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute init coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | tmpfs_domain(init) |
| 4 | |
| 5 | # Transitions to seclabel processes in init.rc |
| Sandeep Patil | 137a13d | 2016-12-15 12:36:45 -0800 | [diff] [blame] | 6 | domain_trans(init, rootfs, healthd) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 7 | domain_trans(init, rootfs, slideshow) |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 8 | domain_auto_trans(init, charger_exec, charger) |
| Jin Qian | 4de505b | 2017-05-02 13:45:08 -0700 | [diff] [blame] | 9 | domain_auto_trans(init, e2fs_exec, e2fs) |
| Joel Fernandes | 147cf64 | 2018-11-29 13:07:40 -0800 | [diff] [blame] | 10 | domain_auto_trans(init, bpfloader_exec, bpfloader) |
| 11 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 12 | recovery_only(` |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 13 | # Files in recovery image are labeled as rootfs. |
| Bowgo Tsai | 5846c79 | 2017-07-31 18:38:28 +0800 | [diff] [blame] | 14 | domain_trans(init, rootfs, adbd) |
| Tao Bao | ecc7e8c | 2018-09-07 15:05:33 -0700 | [diff] [blame] | 15 | domain_trans(init, rootfs, charger) |
| Jerry Zhang | 1d85efa | 2018-05-29 10:54:16 -0700 | [diff] [blame] | 16 | domain_trans(init, rootfs, fastbootd) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 17 | domain_trans(init, rootfs, recovery) |
| Kiyoung Kim | 2c271aa | 2019-12-09 14:57:46 +0900 | [diff] [blame] | 18 | domain_trans(init, rootfs, linkerconfig) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 19 | ') |
| 20 | domain_trans(init, shell_exec, shell) |
| 21 | domain_trans(init, init_exec, ueventd) |
| Tom Cherry | 621c24c | 2017-09-28 14:34:36 -0700 | [diff] [blame] | 22 | domain_trans(init, init_exec, vendor_init) |
| Sandeep Patil | e41af20 | 2017-06-02 16:09:26 -0700 | [diff] [blame] | 23 | domain_trans(init, { rootfs toolbox_exec }, modprobe) |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 24 | userdebug_or_eng(` |
| Tom Cherry | 938ab05 | 2018-08-03 10:49:20 -0700 | [diff] [blame] | 25 | # case where logpersistd is actually logcat -f in logd context (nee: logcatd) |
| Mark Salyzyn | da62cb4 | 2016-08-10 11:10:02 -0700 | [diff] [blame] | 26 | domain_auto_trans(init, logcat_exec, logpersist) |
| Tom Cherry | 938ab05 | 2018-08-03 10:49:20 -0700 | [diff] [blame] | 27 | |
| 28 | # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng |
| 29 | allow init su:process transition; |
| 30 | dontaudit init su:process noatsecure; |
| 31 | allow init su:process { siginh rlimitinh }; |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 32 | ') |
| Branden Archer | d36b1d5 | 2018-11-27 15:47:12 -0800 | [diff] [blame] | 33 | |
| Nikita Ioffe | 23ba976 | 2019-12-09 21:21:55 +0000 | [diff] [blame] | 34 | # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. |
| 35 | # This is useful in case of remounting ext4 userdata into checkpointing mode, |
| 36 | # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) |
| 37 | # that userdata is mounted onto. |
| 38 | allow init sysfs_dm:file read; |
| 39 | |
| Branden Archer | d36b1d5 | 2018-11-27 15:47:12 -0800 | [diff] [blame] | 40 | # Allow the BoringSSL self test to request a reboot upon failure |
| 41 | set_prop(init, powerctl_prop) |
| Nikita Ioffe | 7065e46 | 2019-11-14 12:59:15 +0000 | [diff] [blame] | 42 | |
| 43 | # Only init is allowed to set userspace reboot related properties. |
| Nikita Ioffe | 7065e46 | 2019-11-14 12:59:15 +0000 | [diff] [blame] | 44 | set_prop(init, userspace_reboot_exported_prop) |
| Nikita Ioffe | 7065e46 | 2019-11-14 12:59:15 +0000 | [diff] [blame] | 45 | neverallow { domain -init } userspace_reboot_exported_prop:property_service set; |
| Ryan Savitski | 52b3d31 | 2020-01-14 18:20:06 +0000 | [diff] [blame] | 46 | |
| 47 | # Second-stage init performs a test for whether the kernel has SELinux hooks |
| 48 | # for the perf_event_open() syscall. This is done by testing for the syscall |
| 49 | # outcomes corresponding to this policy. |
| 50 | # TODO(b/137092007): this can be removed once the platform stops supporting |
| 51 | # kernels that precede the perf_event_open hooks (Android common kernels 4.4 |
| 52 | # and 4.9). |
| 53 | allow init self:perf_event { open cpu }; |
| Alistair Delva | 178f0ac | 2020-06-05 10:15:30 -0700 | [diff] [blame] | 54 | allow init self:global_capability2_class_set perfmon; |
| Ryan Savitski | 52b3d31 | 2020-01-14 18:20:06 +0000 | [diff] [blame] | 55 | neverallow init self:perf_event { kernel tracepoint read write }; |
| 56 | dontaudit init self:perf_event { kernel tracepoint read write }; |
| 57 | |
| 58 | # Only init is allowed to set the sysprop indicating whether perf_event_open() |
| 59 | # SELinux hooks were detected. |
| 60 | set_prop(init, init_perf_lsm_hooks_prop) |
| 61 | neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; |
| Inseob Kim | 212e2b6 | 2020-07-14 02:10:37 +0900 | [diff] [blame] | 62 | |
| 63 | # Only init can write vts.native_server.on |
| 64 | set_prop(init, vts_status_prop) |
| 65 | neverallow { -init } vts_status_prop:property_service set; |
| Inseob Kim | 8c34247 | 2020-07-23 17:54:35 +0900 | [diff] [blame^] | 66 | |
| 67 | # Only init can write normal ro.boot. properties |
| 68 | neverallow { -init } bootloader_prop:property_service set; |