1 # Life begins with the kernel. 2 type kernel, domain; 3 4 # Run /init before we have switched domains. 5 allow kernel rootfs:file execute_no_trans; 6 7 # setcon to init domain. 8 allow kernel self:process setcurrent; 9 allow kernel init:process dyntransition; 10 11 # The kernel is unconfined. 12 unconfined_domain(kernel) 13 14 # cgroup filesystem initialization prior to setting the cgroup root directory label. 15 allow kernel unlabeled:dir search; 16 17 # Mount usbfs. 18 allow kernel usbfs:filesystem mount; 19 20 # init direct restorecon calls prior to switching to init domain 21 # /dev and /dev/socket 22 allow kernel { device socket_device }:dir relabelto; 23 # /dev/__properties__ 24 allow kernel properties_device:file relabelto; 25 # /sys 26 allow kernel sysfs:{ dir file lnk_file } relabelfrom; 27 allow kernel sysfs_type:{ dir file lnk_file } relabelto; 28 29 # Initial setenforce by init prior to switching to init domain. 30 # We use dontaudit instead of allow to prevent a kernel spawned userspace 31 # process from turning off SELinux once enabled. 32 dontaudit kernel self:security setenforce; 33 34 # Set checkreqprot by init.rc prior to switching to init domain. 35 allow kernel self:security setcheckreqprot; 36 37 # MTP sync (b/15835289) 38 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 39 allow kernel sdcard_type:file { read write }; 40 41 # Allow the kernel to read OBB files from app directories. (b/17428116) 42 # Kernel thread "loop0" reads a vold supplied file descriptor. 43 # Fixes CTS tests: 44 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 45 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 46 allow kernel app_data_file:file read; 47 48 ### 49 ### neverallow rules 50 ### 51 52 # The initial task starts in the kernel domain (assigned via 53 # initial_sid_contexts), but nothing ever transitions to it. 54 neverallow domain kernel:process { transition dyntransition }; 55 56 # The kernel domain is never entered via an exec, nor should it 57 # ever execute a program outside the rootfs without changing to another domain. 58 # If you encounter an execute_no_trans denial on the kernel domain, then 59 # possible causes include: 60 # - The program is a kernel usermodehelper. In this case, define a domain 61 # for the program and domain_auto_trans() to it. 62 # - You failed to setcon u:r:init:s0 in your init.rc and thus your init 63 # program was left in the kernel domain and is now trying to execute 64 # some other program. Fix your init.rc file. 65 # - You are running an exploit which switched to the init task credentials 66 # and is then trying to exec a shell or other program. You lose! 67 neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans }; 68
