Home | History | Annotate | Download | only in sepolicy 
      1 # init switches to init domain (via init.rc).
      2 type init, domain;
      3 # init is unconfined.
      4 unconfined_domain(init)
      5 tmpfs_domain(init)
      6 
      7 allow init self:capability { sys_rawio mknod };
      8 
      9 # Run helpers from / or /system without changing domain.
     10 # We do not include exec_type here since generally those
     11 # should always involve a domain transition.
     12 allow init rootfs:file execute_no_trans;
     13 allow init system_file:file execute_no_trans;
     14 
     15 # Running e2fsck or mkswap via fs_mgr.
     16 allow init dev_type:blk_file rw_file_perms;
     17 
     18 # Mounting filesystems.
     19 # Only allow relabelto for types used in context= mount options,
     20 # which should all be assigned the contextmount_type attribute.
     21 # This can be done in device-specific policy via type or typeattribute
     22 # declarations.
     23 allow init fs_type:filesystem ~relabelto;
     24 allow init unlabeled:filesystem ~relabelto;
     25 allow init contextmount_type:filesystem relabelto;
     26 
     27 # Allow read-only access to context= mounted filesystems.
     28 allow init contextmount_type:dir r_dir_perms;
     29 allow init contextmount_type:notdevfile_class_set r_file_perms;
     30 
     31 # restorecon /adb_keys or any other rootfs files to a more specific type.
     32 allow init rootfs:file relabelfrom;
     33 
     34 # restorecon and restorecon_recursive calls from init.rc files.
     35 # system/core/init.rc requires at least cache_file and data_file_type.
     36 # init.<board>.rc files often include device-specific types, so
     37 # we just allow all file types except /system files here.
     38 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
     39 allow init sysfs_type:{ dir file lnk_file } relabelto;
     40 
     41 # Unlabeled file access for upgrades from 4.2.
     42 allow init unlabeled:dir { create_dir_perms relabelfrom };
     43 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
     44 
     45 # Create /data/security from init.rc post-fs-data.
     46 allow init security_file:dir { create setattr };
     47 
     48 # setprop selinux.reload_policy 1 from init.rc post-fs-data.
     49 allow init security_prop:property_service set;
     50 
     51 # Reload policy upon setprop selinux.reload_policy 1.
     52 r_dir_file(init, security_file)
     53 allow init kernel:security load_policy;
     54 
     55 # Any operation that can modify the kernel ring buffer, e.g. clear
     56 # or a read that consumes the messages that were read.
     57 allow init kernel:system syslog_mod;
     58 
     59 # Set usermodehelpers and /proc security settings.
     60 allow init usermodehelper:file rw_file_perms;
     61 allow init proc_security:file rw_file_perms;
     62 
     63 # Transitions to seclabel processes in init.rc
     64 domain_trans(init, rootfs, adbd)
     65 domain_trans(init, rootfs, healthd)
     66 recovery_only(`
     67   domain_trans(init, rootfs, recovery)
     68 ')
     69 domain_trans(init, shell_exec, shell)
     70 domain_trans(init, rootfs, ueventd)
     71 domain_trans(init, rootfs, watchdogd)
     72 
     73 # Certain domains need LD_PRELOAD passed from init.
     74 # https://android-review.googlesource.com/94851
     75 # For now, allow it to most domains.
     76 # TODO: scope this down.
     77 allow init { domain -lmkd }:process noatsecure;
     78 
     79 # Support "adb shell stop"
     80 allow init domain:process sigkill;
     81 
     82 # Init creates keystore's directory on boot, and walks through
     83 # the directory as part of a recursive restorecon.
     84 allow init keystore_data_file:dir { open create read getattr setattr search };
     85 allow init keystore_data_file:file { getattr };
     86 
     87 # Init creates /data/local/tmp at boot
     88 allow init shell_data_file:dir { open create read getattr setattr search };
     89 allow init shell_data_file:file { getattr };
     90 
     91 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
     92 # setexec is for services with seclabel options.
     93 # setfscreate is for labeling directories and socket files.
     94 # setsockcreate is for labeling local/unix domain sockets.
     95 allow init self:process { setexec setfscreate setsockcreate };
     96 
     97 # Create /data/property and files within it.
     98 allow init property_data_file:dir create_dir_perms;
     99 allow init property_data_file:file create_file_perms;
    100 
    101 # Set any property.
    102 allow init property_type:property_service set;
    103 
    104 # Run "ifup lo" to bring up the localhost interface
    105 allow init self:udp_socket { create ioctl };
    106 
    107 # This line seems suspect, as it should not really need to
    108 # set scheduling parameters for a kernel domain task.
    109 allow init kernel:process setsched;
    110 
    111 ###
    112 ### neverallow rules
    113 ###
    114 
    115 # The init domain is only entered via setcon from the kernel domain,
    116 # never via an exec-based transition.
    117 neverallow { domain -kernel} init:process dyntransition;
    118 neverallow domain init:process transition;
    119 neverallow init { file_type fs_type }:file entrypoint;
    120