1 # init switches to init domain (via init.rc). 2 type init, domain; 3 # init is unconfined. 4 unconfined_domain(init) 5 tmpfs_domain(init) 6 7 allow init self:capability { sys_rawio mknod }; 8 9 # Run helpers from / or /system without changing domain. 10 # We do not include exec_type here since generally those 11 # should always involve a domain transition. 12 allow init rootfs:file execute_no_trans; 13 allow init system_file:file execute_no_trans; 14 15 # Running e2fsck or mkswap via fs_mgr. 16 allow init dev_type:blk_file rw_file_perms; 17 18 # Mounting filesystems. 19 # Only allow relabelto for types used in context= mount options, 20 # which should all be assigned the contextmount_type attribute. 21 # This can be done in device-specific policy via type or typeattribute 22 # declarations. 23 allow init fs_type:filesystem ~relabelto; 24 allow init unlabeled:filesystem ~relabelto; 25 allow init contextmount_type:filesystem relabelto; 26 27 # Allow read-only access to context= mounted filesystems. 28 allow init contextmount_type:dir r_dir_perms; 29 allow init contextmount_type:notdevfile_class_set r_file_perms; 30 31 # restorecon /adb_keys or any other rootfs files to a more specific type. 32 allow init rootfs:file relabelfrom; 33 34 # restorecon and restorecon_recursive calls from init.rc files. 35 # system/core/init.rc requires at least cache_file and data_file_type. 36 # init.<board>.rc files often include device-specific types, so 37 # we just allow all file types except /system files here. 38 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; 39 allow init sysfs_type:{ dir file lnk_file } relabelto; 40 41 # Unlabeled file access for upgrades from 4.2. 42 allow init unlabeled:dir { create_dir_perms relabelfrom }; 43 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 44 45 # Create /data/security from init.rc post-fs-data. 46 allow init security_file:dir { create setattr }; 47 48 # setprop selinux.reload_policy 1 from init.rc post-fs-data. 49 allow init security_prop:property_service set; 50 51 # Reload policy upon setprop selinux.reload_policy 1. 52 r_dir_file(init, security_file) 53 allow init kernel:security load_policy; 54 55 # Any operation that can modify the kernel ring buffer, e.g. clear 56 # or a read that consumes the messages that were read. 57 allow init kernel:system syslog_mod; 58 59 # Set usermodehelpers and /proc security settings. 60 allow init usermodehelper:file rw_file_perms; 61 allow init proc_security:file rw_file_perms; 62 63 # Transitions to seclabel processes in init.rc 64 domain_trans(init, rootfs, adbd) 65 domain_trans(init, rootfs, healthd) 66 recovery_only(` 67 domain_trans(init, rootfs, recovery) 68 ') 69 domain_trans(init, shell_exec, shell) 70 domain_trans(init, rootfs, ueventd) 71 domain_trans(init, rootfs, watchdogd) 72 73 # Certain domains need LD_PRELOAD passed from init. 74 # https://android-review.googlesource.com/94851 75 # For now, allow it to most domains. 76 # TODO: scope this down. 77 allow init { domain -lmkd }:process noatsecure; 78 79 # Support "adb shell stop" 80 allow init domain:process sigkill; 81 82 # Init creates keystore's directory on boot, and walks through 83 # the directory as part of a recursive restorecon. 84 allow init keystore_data_file:dir { open create read getattr setattr search }; 85 allow init keystore_data_file:file { getattr }; 86 87 # Init creates /data/local/tmp at boot 88 allow init shell_data_file:dir { open create read getattr setattr search }; 89 allow init shell_data_file:file { getattr }; 90 91 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 92 # setexec is for services with seclabel options. 93 # setfscreate is for labeling directories and socket files. 94 # setsockcreate is for labeling local/unix domain sockets. 95 allow init self:process { setexec setfscreate setsockcreate }; 96 97 # Create /data/property and files within it. 98 allow init property_data_file:dir create_dir_perms; 99 allow init property_data_file:file create_file_perms; 100 101 # Set any property. 102 allow init property_type:property_service set; 103 104 # Run "ifup lo" to bring up the localhost interface 105 allow init self:udp_socket { create ioctl }; 106 107 # This line seems suspect, as it should not really need to 108 # set scheduling parameters for a kernel domain task. 109 allow init kernel:process setsched; 110 111 ### 112 ### neverallow rules 113 ### 114 115 # The init domain is only entered via setcon from the kernel domain, 116 # never via an exec-based transition. 117 neverallow { domain -kernel} init:process dyntransition; 118 neverallow domain init:process transition; 119 neverallow init { file_type fs_type }:file entrypoint; 120