1 # Life begins with the kernel. 2 type kernel, domain, mlstrustedsubject; 3 4 allow kernel self:capability sys_nice; 5 6 # Allow init relabel itself. 7 allow kernel rootfs:file relabelfrom; 8 allow kernel init_exec:file relabelto; 9 # TODO: investigate why we need this. 10 allow kernel init:process share; 11 12 # cgroup filesystem initialization prior to setting the cgroup root directory label. 13 allow kernel unlabeled:dir search; 14 15 # Mount usbfs. 16 allow kernel usbfs:filesystem mount; 17 allow kernel usbfs:dir search; 18 19 # Initial setenforce by init prior to switching to init domain. 20 # We use dontaudit instead of allow to prevent a kernel spawned userspace 21 # process from turning off SELinux once enabled. 22 dontaudit kernel self:security setenforce; 23 24 # Write to /proc/1/oom_adj prior to switching to init domain. 25 allow kernel self:capability sys_resource; 26 27 # Init reboot before switching selinux domains under certain error 28 # conditions. Allow it. 29 # As part of rebooting, init writes "u" to /proc/sysrq-trigger to 30 # remount filesystems read-only. /data is not mounted at this point, 31 # so we could ignore this. For now, we allow it. 32 allow kernel self:capability sys_boot; 33 allow kernel proc_sysrq:file w_file_perms; 34 35 # Allow writing to /dev/__kmsg__ which was created prior to 36 # loading policy 37 allow kernel tmpfs:chr_file write; 38 39 # Set checkreqprot by init.rc prior to switching to init domain. 40 allow kernel selinuxfs:file write; 41 allow kernel self:security setcheckreqprot; 42 43 # MTP sync (b/15835289) 44 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 45 allow kernel untrusted_app:fd use; 46 allow kernel sdcard_type:file { read write }; 47 48 # Allow the kernel to read OBB files from app directories. (b/17428116) 49 # Kernel thread "loop0" reads a vold supplied file descriptor. 50 # Fixes CTS tests: 51 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 52 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 53 allow kernel vold:fd use; 54 allow kernel app_data_file:file read; 55 allow kernel asec_image_file:file read; 56 57 domain_auto_trans(kernel, init_exec, init) 58 59 ### 60 ### neverallow rules 61 ### 62 63 # The initial task starts in the kernel domain (assigned via 64 # initial_sid_contexts), but nothing ever transitions to it. 65 neverallow domain kernel:process { transition dyntransition }; 66 67 # The kernel domain is never entered via an exec, nor should it 68 # ever execute a program outside the rootfs without changing to another domain. 69 # If you encounter an execute_no_trans denial on the kernel domain, then 70 # possible causes include: 71 # - The program is a kernel usermodehelper. In this case, define a domain 72 # for the program and domain_auto_trans() to it. 73 # - You failed to setcon u:r:init:s0 in your init.rc and thus your init 74 # program was left in the kernel domain and is now trying to execute 75 # some other program. Fix your init.rc file. 76 # - You are running an exploit which switched to the init task credentials 77 # and is then trying to exec a shell or other program. You lose! 78 neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans }; 79