Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-15 / . / microdroid / system / private / kernel.te
blob: 0b650d374130a7ad12f09275bd6e9297c5e935c4 [file] [log] [blame]
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]1typeattribute kernel coredomain;
2
3domain_auto_trans(kernel, init_exec, init)
4
5# The following sections are for the transition period during a Virtual A/B
6# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
7# context, and with properly labelled devices. This must be done before
8# enabling enforcement, eg, in permissive mode while still in the kernel
9# context.
10allow kernel tmpfs:blk_file { getattr relabelfrom };
11allow kernel tmpfs:chr_file { getattr relabelfrom };
12allow kernel tmpfs:lnk_file { getattr relabelfrom };
13allow kernel tmpfs:dir { open read relabelfrom };
14
15allow kernel block_device:blk_file relabelto;
16allow kernel block_device:lnk_file relabelto;
17allow kernel dm_device:chr_file relabelto;
18allow kernel dm_device:blk_file relabelto;
19allow kernel dm_user_device:dir { read open search relabelto };
20allow kernel dm_user_device:chr_file relabelto;
21allow kernel kmsg_device:chr_file relabelto;
22allow kernel null_device:chr_file relabelto;
23allow kernel random_device:chr_file relabelto;
24allow kernel kmsg_device:chr_file write;
25allow kernel vd_device:blk_file read;
26
27allow kernel self:global_capability_class_set sys_nice;
28
29# Root fs.
30r_dir_file(kernel, rootfs)
31
32# Used to read androidboot.selinux property
33allow kernel {
34 proc_bootconfig
35 proc_cmdline
36}:file r_file_perms;
37
38# Get SELinux enforcing status.
39allow kernel selinuxfs:dir r_dir_perms;
40allow kernel selinuxfs:file r_file_perms;
41
42# Get file contexts during first stage
43allow kernel file_contexts_file:file r_file_perms;
44
45# Allow init relabel itself.
46allow kernel rootfs:file relabelfrom;
47allow kernel init_exec:file relabelto;
48# TODO: investigate why we need this.
49allow kernel init:process share;
50
51# cgroup filesystem initialization prior to setting the cgroup root directory label.
52allow kernel unlabeled:dir search;
53
54# Initial setenforce by init prior to switching to init domain.
55# We use dontaudit instead of allow to prevent a kernel spawned userspace
56# process from turning off SELinux once enabled.
57dontaudit kernel self:security setenforce;
58
59# Init reboot before switching selinux domains under certain error
60# conditions. Allow it.
61# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
62# remount filesystems read-only. /data is not mounted at this point,
63# so we could ignore this. For now, we allow it.
64allow kernel self:global_capability_class_set sys_boot;
65allow kernel proc_sysrq:file w_file_perms;
66
67# Allow writing to /dev/kmsg which was created prior to loading policy.
68allow kernel tmpfs:chr_file write;
69
70# Set checkreqprot by init.rc prior to switching to init domain.
71allow kernel selinuxfs:file write;
72allow kernel self:security setcheckreqprot;
73
74# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
75allow kernel { sdcard_type fuse }:file { read write };
76
77# Allow the kernel to read APEX file descriptors and (staged) data files;
78# Needed because APEX uses the loopback driver, which issues requests from
79# a kernel thread in earlier kernel version.
80allow kernel apexd:fd use;
81
82#-----------------------------------------
83allow kernel apkdmverity:fd use;
Nikita Ioffef1d47f72024-03-12 23:02:37 +0000[diff] [blame]84
85# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
86# kernel domain. This is to avoid granting init weird capabilities like
87# `allow init tmpfs:file relabelfrom;`
88allow kernel microdroid_resources_file:dir { read open search relabelto};
89allow kernel microdroid_resources_file:file relabelto;
90allow kernel tmpfs:file { getattr relabelfrom };