1 # init is its own domain. 2 type init, domain, mlstrustedsubject; 3 tmpfs_domain(init) 4 5 # The init domain is entered by execing init. 6 type init_exec, exec_type, file_type; 7 8 # /dev/__null__ node created by init. 9 allow init tmpfs:chr_file create_file_perms; 10 11 # 12 # init direct restorecon calls. 13 # 14 # /dev/socket 15 allow init { device socket_device }:dir relabelto; 16 # /dev/__properties__ 17 allow init tmpfs:file relabelfrom; 18 allow init properties_device:file relabelto; 19 20 # setrlimit 21 allow init self:capability sys_resource; 22 23 # Remove /dev/.booting, created before initial policy load or restorecon /dev. 24 allow init tmpfs:file unlink; 25 26 # Access pty created for fsck. 27 allow init devpts:chr_file { read write open }; 28 29 # Create /dev/fscklogs files. 30 allow init fscklogs:file create_file_perms; 31 32 # Access /dev/__null__ node created prior to initial policy load. 33 allow init tmpfs:chr_file write; 34 35 # Access /dev/console. 36 allow init console_device:chr_file rw_file_perms; 37 38 # Access /dev/tty0. 39 allow init tty_device:chr_file rw_file_perms; 40 41 # Call mount(2). 42 allow init self:capability sys_admin; 43 44 # Create and mount on directories in /. 45 allow init rootfs:dir create_dir_perms; 46 allow init rootfs:dir mounton; 47 48 # Mount on /dev/usb-ffs/adb. 49 allow init device:dir mounton; 50 51 # Create and remove symlinks in /. 52 allow init rootfs:lnk_file { create unlink }; 53 54 # Mount debugfs on /sys/kernel/debug. 55 allow init sysfs:dir mounton; 56 57 # Create cgroups mount points in tmpfs and mount cgroups on them. 58 allow init tmpfs:dir create_dir_perms; 59 allow init tmpfs:dir mounton; 60 allow init cgroup:dir create_dir_perms; 61 allow init cpuctl_device:dir { create mounton }; 62 63 # Use tmpfs as /data, used for booting when /data is encrypted 64 allow init tmpfs:dir relabelfrom; 65 66 # Create directories under /dev/cpuctl after chowning it to system. 67 allow init self:capability dac_override; 68 69 # Set system clock. 70 allow init self:capability sys_time; 71 72 allow init self:capability { sys_rawio mknod }; 73 74 # Mounting filesystems from block devices. 75 allow init dev_type:blk_file r_file_perms; 76 77 # Mounting filesystems. 78 # Only allow relabelto for types used in context= mount options, 79 # which should all be assigned the contextmount_type attribute. 80 # This can be done in device-specific policy via type or typeattribute 81 # declarations. 82 allow init fs_type:filesystem ~relabelto; 83 allow init unlabeled:filesystem ~relabelto; 84 allow init contextmount_type:filesystem relabelto; 85 86 # Allow read-only access to context= mounted filesystems. 87 allow init contextmount_type:dir r_dir_perms; 88 allow init contextmount_type:notdevfile_class_set r_file_perms; 89 90 # restorecon /adb_keys or any other rootfs files to a more specific type. 91 allow init rootfs:file relabelfrom; 92 93 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 94 # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 95 # system/core/init.rc requires at least cache_file and data_file_type. 96 # init.<board>.rc files often include device-specific types, so 97 # we just allow all file types except /system files here. 98 allow init self:capability { chown fowner fsetid }; 99 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; 100 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; 101 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink }; 102 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 103 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; 104 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; 105 allow init sysfs:{ dir file lnk_file } { getattr relabelfrom }; 106 allow init sysfs_type:{ dir file lnk_file } relabelto; 107 allow init dev_type:dir create_dir_perms; 108 allow init dev_type:lnk_file create; 109 110 # chown/chmod on pseudo files. 111 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; 112 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; 113 114 # chown/chmod on devices. 115 allow init { dev_type -kmem_device }:chr_file { read open setattr }; 116 117 # Unlabeled file access for upgrades from 4.2. 118 allow init unlabeled:dir { create_dir_perms relabelfrom }; 119 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 120 121 # Create /data/security from init.rc post-fs-data. 122 allow init security_file:dir { create setattr }; 123 124 # Reload policy upon setprop selinux.reload_policy 1. 125 # Note: this requires the following allow rule 126 # allow init kernel:security load_policy; 127 # which can be configured on a device-by-device basis if needed. 128 r_dir_file(init, security_file) 129 130 # Any operation that can modify the kernel ring buffer, e.g. clear 131 # or a read that consumes the messages that were read. 132 allow init kernel:system syslog_mod; 133 allow init self:capability2 syslog; 134 135 # Set usermodehelpers and /proc security settings. 136 allow init usermodehelper:file rw_file_perms; 137 allow init proc_security:file rw_file_perms; 138 139 # Write to /proc/sys/kernel/panic_on_oops. 140 allow init proc:file w_file_perms; 141 142 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. 143 allow init proc_net:file w_file_perms; 144 allow init self:capability net_admin; 145 146 # Write to /proc/sysrq-trigger. 147 allow init proc_sysrq:file w_file_perms; 148 149 # Reboot. 150 allow init self:capability sys_boot; 151 152 # Write to sysfs nodes. 153 allow init sysfs_type:dir r_dir_perms; 154 allow init sysfs_type:file w_file_perms; 155 156 # Transitions to seclabel processes in init.rc 157 domain_trans(init, rootfs, adbd) 158 domain_trans(init, rootfs, healthd) 159 domain_trans(init, rootfs, slideshow) 160 recovery_only(` 161 domain_trans(init, rootfs, recovery) 162 ') 163 domain_trans(init, shell_exec, shell) 164 domain_trans(init, init_exec, ueventd) 165 domain_trans(init, init_exec, watchdogd) 166 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 167 userdebug_or_eng(` 168 domain_auto_trans(init, logcat_exec, logd) 169 ') 170 171 # Support "adb shell stop" 172 allow init self:capability kill; 173 allow init domain:process sigkill; 174 175 # Init creates keystore's directory on boot, and walks through 176 # the directory as part of a recursive restorecon. 177 allow init keystore_data_file:dir { open create read getattr setattr search }; 178 allow init keystore_data_file:file { getattr }; 179 180 # Init creates vold's directory on boot, and walks through 181 # the directory as part of a recursive restorecon. 182 allow init vold_data_file:dir { open create read getattr setattr search }; 183 allow init vold_data_file:file { getattr }; 184 185 # Init creates /data/local/tmp at boot 186 allow init shell_data_file:dir { open create read getattr setattr search }; 187 allow init shell_data_file:file { getattr }; 188 189 # Set UID and GID for services. 190 allow init self:capability { setuid setgid }; 191 192 # For bootchart to read the /proc/$pid/cmdline file of each process, 193 # we need to have following line to allow init to have access 194 # to different domains. 195 r_dir_file(init, domain) 196 197 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 198 # setexec is for services with seclabel options. 199 # setfscreate is for labeling directories and socket files. 200 # setsockcreate is for labeling local/unix domain sockets. 201 allow init self:process { setexec setfscreate setsockcreate }; 202 203 # Perform SELinux access checks on setting properties. 204 selinux_check_access(init) 205 206 # Ask the kernel for the new context on services to label their sockets. 207 allow init kernel:security compute_create; 208 209 # Create sockets for the services. 210 allow init domain:unix_stream_socket { create bind }; 211 allow init domain:unix_dgram_socket { create bind }; 212 213 # Create /data/property and files within it. 214 allow init property_data_file:dir create_dir_perms; 215 allow init property_data_file:file create_file_perms; 216 217 # Set any property. 218 allow init property_type:property_service set; 219 220 # Run "ifup lo" to bring up the localhost interface 221 allow init self:udp_socket { create ioctl }; 222 allow init self:capability net_raw; 223 224 # This line seems suspect, as it should not really need to 225 # set scheduling parameters for a kernel domain task. 226 allow init kernel:process setsched; 227 228 # swapon() needs write access to swap device 229 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 230 allow init swap_block_device:blk_file rw_file_perms; 231 232 # Read from /dev/hw_random if present. 233 # system/core/init/init.c - mix_hwrng_into_linux_rng_action 234 allow init hw_random_device:chr_file r_file_perms; 235 236 # Create and access /dev files without a specific type, 237 # e.g. /dev/.coldboot_done, /dev/.booting 238 # TODO: Move these files into their own type unless they are 239 # only ever accessed by init. 240 allow init device:file create_file_perms; 241 242 # Access character devices without a specific type, 243 # e.g. /dev/keychord. 244 # TODO: Move these devices into their own type unless they 245 # are only ever accessed by init. 246 allow init device:chr_file { rw_file_perms setattr }; 247 248 # keychord configuration 249 allow init self:capability sys_tty_config; 250 251 # Access device mapper for setting up dm-verity 252 allow init dm_device:chr_file rw_file_perms; 253 allow init dm_device:blk_file rw_file_perms; 254 255 # Access metadata block device for storing dm-verity state 256 allow init metadata_block_device:blk_file rw_file_perms; 257 258 # Read /sys/fs/pstore/console-ramoops to detect restarts caused 259 # by dm-verity detecting corrupted blocks 260 allow init pstorefs:dir search; 261 allow init pstorefs:file r_file_perms; 262 263 # linux keyring configuration 264 allow init init:key { write search setattr }; 265 266 # Allow init to create /data/unencrypted 267 allow init unencrypted_data_file:dir create_dir_perms; 268 269 unix_socket_connect(init, vold, vold) 270 271 ### 272 ### neverallow rules 273 ### 274 275 # The init domain is only entered via setcon from the kernel domain, 276 # never via an exec-based transition. 277 neverallow domain init:process dyntransition; 278 neverallow { domain -kernel} init:process transition; 279 neverallow init { file_type fs_type -init_exec }:file entrypoint; 280 281 # Never read/follow symlinks created by shell or untrusted apps. 282 neverallow init shell_data_file:lnk_file read; 283 neverallow init app_data_file:lnk_file read; 284 285 # init should never execute a program without changing to another domain. 286 neverallow init { file_type fs_type }:file execute_no_trans; 287