1 # init is its own domain. 2 type init, domain, mlstrustedsubject; 3 4 # The init domain is entered by execing init. 5 type init_exec, exec_type, file_type; 6 7 # /dev/__null__ node created by init. 8 allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; 9 10 # 11 # init direct restorecon calls. 12 # 13 # /dev/kmsg 14 allow init tmpfs:chr_file relabelfrom; 15 allow init kmsg_device:chr_file { write relabelto }; 16 # /dev/kmsg_debug 17 userdebug_or_eng(` 18 allow init kmsg_debug_device:chr_file { write relabelto }; 19 ') 20 # /dev/__properties__ 21 allow init properties_device:dir relabelto; 22 allow init properties_serial:file { write relabelto }; 23 allow init property_type:file { create_file_perms relabelto }; 24 # /dev/event-log-tags 25 allow init device:file relabelfrom; 26 allow init runtime_event_log_tags_file:file { open write setattr relabelto }; 27 # /dev/socket 28 allow init { device socket_device }:dir relabelto; 29 # /dev/random, /dev/urandom 30 allow init random_device:chr_file relabelto; 31 # /dev/device-mapper, /dev/block(/.*)? 32 allow init tmpfs:{ chr_file blk_file } relabelfrom; 33 allow init tmpfs:blk_file getattr; 34 allow init block_device:{ dir blk_file lnk_file } relabelto; 35 allow init dm_device:{ chr_file blk_file } relabelto; 36 allow init kernel:fd use; 37 # restorecon for early mount device symlinks 38 allow init tmpfs:lnk_file { getattr read relabelfrom }; 39 allow init system_block_device:{ blk_file lnk_file } relabelto; 40 41 # setrlimit 42 allow init self:capability sys_resource; 43 44 # Remove /dev/.booting, created before initial policy load or restorecon /dev. 45 allow init tmpfs:file unlink; 46 47 # Access pty created for fsck. 48 allow init devpts:chr_file { read write open }; 49 50 # Create /dev/fscklogs files. 51 allow init fscklogs:file create_file_perms; 52 53 # Access /dev/__null__ node created prior to initial policy load. 54 allow init tmpfs:chr_file write; 55 56 # Access /dev/console. 57 allow init console_device:chr_file rw_file_perms; 58 59 # Access /dev/tty0. 60 allow init tty_device:chr_file rw_file_perms; 61 62 # Call mount(2). 63 allow init self:capability sys_admin; 64 65 # Create and mount on directories in /. 66 allow init rootfs:dir create_dir_perms; 67 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton; 68 69 # Mount on /dev/usb-ffs/adb. 70 allow init device:dir mounton; 71 72 # Create and remove symlinks in /. 73 allow init rootfs:lnk_file { create unlink }; 74 75 # Mount debugfs on /sys/kernel/debug. 76 allow init sysfs:dir mounton; 77 78 # Create cgroups mount points in tmpfs and mount cgroups on them. 79 allow init tmpfs:dir create_dir_perms; 80 allow init tmpfs:dir mounton; 81 allow init cgroup:dir create_dir_perms; 82 r_dir_file(init, cgroup) 83 allow init cpuctl_device:dir { create mounton }; 84 85 # /config 86 allow init configfs:dir mounton; 87 allow init configfs:dir create_dir_perms; 88 allow init configfs:{ file lnk_file } create_file_perms; 89 90 # Use tmpfs as /data, used for booting when /data is encrypted 91 allow init tmpfs:dir relabelfrom; 92 93 # Create directories under /dev/cpuctl after chowning it to system. 94 allow init self:capability dac_override; 95 96 # Set system clock. 97 allow init self:capability sys_time; 98 99 allow init self:capability { sys_rawio mknod }; 100 101 # Mounting filesystems from block devices. 102 allow init dev_type:blk_file r_file_perms; 103 104 # Mounting filesystems. 105 # Only allow relabelto for types used in context= mount options, 106 # which should all be assigned the contextmount_type attribute. 107 # This can be done in device-specific policy via type or typeattribute 108 # declarations. 109 allow init fs_type:filesystem ~relabelto; 110 allow init unlabeled:filesystem ~relabelto; 111 allow init contextmount_type:filesystem relabelto; 112 113 # Allow read-only access to context= mounted filesystems. 114 allow init contextmount_type:dir r_dir_perms; 115 allow init contextmount_type:notdevfile_class_set r_file_perms; 116 117 # restorecon /adb_keys or any other rootfs files and directories to a more 118 # specific type. 119 allow init rootfs:{ dir file } relabelfrom; 120 121 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 122 # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 123 # system/core/init.rc requires at least cache_file and data_file_type. 124 # init.<board>.rc files often include device-specific types, so 125 # we just allow all file types except /system files here. 126 allow init self:capability { chown fowner fsetid }; 127 128 allow init { 129 file_type 130 -app_data_file 131 -exec_type 132 -misc_logd_file 133 -system_app_data_file 134 -system_file 135 -vendor_file_type 136 }:dir { create search getattr open read setattr ioctl }; 137 138 allow init { 139 file_type 140 -app_data_file 141 -exec_type 142 -keystore_data_file 143 -misc_logd_file 144 -shell_data_file 145 -system_app_data_file 146 -system_file 147 -vendor_file_type 148 -vold_data_file 149 }:dir { write add_name remove_name rmdir relabelfrom }; 150 151 allow init { 152 file_type 153 -app_data_file 154 -runtime_event_log_tags_file 155 -exec_type 156 -keystore_data_file 157 -misc_logd_file 158 -shell_data_file 159 -system_app_data_file 160 -system_file 161 -vendor_file_type 162 -vold_data_file 163 }:file { create getattr open read write setattr relabelfrom unlink }; 164 165 allow init { 166 file_type 167 -app_data_file 168 -exec_type 169 -keystore_data_file 170 -misc_logd_file 171 -shell_data_file 172 -system_app_data_file 173 -system_file 174 -vendor_file_type 175 -vold_data_file 176 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 177 178 allow init { 179 file_type 180 -app_data_file 181 -exec_type 182 -keystore_data_file 183 -misc_logd_file 184 -shell_data_file 185 -system_app_data_file 186 -system_file 187 -vendor_file_type 188 -vold_data_file 189 }:lnk_file { create getattr setattr relabelfrom unlink }; 190 191 allow init cache_file:lnk_file r_file_perms; 192 193 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; 194 allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom }; 195 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; 196 allow init dev_type:dir create_dir_perms; 197 allow init dev_type:lnk_file create; 198 199 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on 200 allow init debugfs_tracing:file w_file_perms; 201 202 # Setup and control wifi event tracing (see wifi-events.rc) 203 allow init debugfs_tracing_instances:dir create_dir_perms; 204 allow init debugfs_tracing_instances:file w_file_perms; 205 allow init debugfs_wifi_tracing:file w_file_perms; 206 207 # chown/chmod on pseudo files. 208 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; 209 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; 210 211 # init should not be able to read or open generic devices 212 # TODO: auditing to see if this can be deleted entirely 213 allow init { 214 dev_type 215 -kmem_device 216 -port_device 217 -device 218 -vndbinder_device 219 }:chr_file { read open }; 220 auditallow init { 221 dev_type 222 -alarm_device 223 -ashmem_device 224 -binder_device 225 -console_device 226 -device 227 -devpts 228 -dm_device 229 -hwbinder_device 230 -hw_random_device 231 -keychord_device 232 -kmem_device 233 -kmsg_device 234 -null_device 235 -owntty_device 236 -port_device 237 -ptmx_device 238 -random_device 239 -zero_device 240 }:chr_file { read open }; 241 242 # chown/chmod on devices. 243 allow init { dev_type -kmem_device -port_device }:chr_file setattr; 244 245 # Unlabeled file access for upgrades from 4.2. 246 allow init unlabeled:dir { create_dir_perms relabelfrom }; 247 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 248 249 # Any operation that can modify the kernel ring buffer, e.g. clear 250 # or a read that consumes the messages that were read. 251 allow init kernel:system syslog_mod; 252 allow init self:capability2 syslog; 253 254 # Set usermodehelpers and /proc security settings. 255 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; 256 allow init proc_security:file rw_file_perms; 257 258 # Write to /proc/sys/kernel/panic_on_oops. 259 r_dir_file(init, proc) 260 allow init proc:file w_file_perms; 261 262 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. 263 r_dir_file(init, proc_net) 264 allow init proc_net:file w_file_perms; 265 allow init self:capability net_admin; 266 267 # Write to /proc/sysrq-trigger. 268 allow init proc_sysrq:file w_file_perms; 269 270 # Read /proc/stat for bootchart. 271 allow init proc_stat:file r_file_perms; 272 273 # Reboot. 274 allow init self:capability sys_boot; 275 276 # Write to sysfs nodes. 277 allow init sysfs_type:dir r_dir_perms; 278 allow init sysfs_type:lnk_file read; 279 allow init sysfs_type:file rw_file_perms; 280 281 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". 282 # Init will also walk through the directory as part of a recursive restorecon. 283 allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; 284 allow init misc_logd_file:file { open create getattr setattr write }; 285 286 # Support "adb shell stop" 287 allow init self:capability kill; 288 allow init domain:process { getpgid sigkill signal }; 289 290 # Init creates keystore's directory on boot, and walks through 291 # the directory as part of a recursive restorecon. 292 allow init keystore_data_file:dir { open create read getattr setattr search }; 293 allow init keystore_data_file:file { getattr }; 294 295 # Init creates vold's directory on boot, and walks through 296 # the directory as part of a recursive restorecon. 297 allow init vold_data_file:dir { open create read getattr setattr search }; 298 allow init vold_data_file:file { getattr }; 299 300 # Init creates /data/local/tmp at boot 301 allow init shell_data_file:dir { open create read getattr setattr search }; 302 allow init shell_data_file:file { getattr }; 303 304 # Set UID, GID, and adjust capability bounding set for services. 305 allow init self:capability { setuid setgid setpcap }; 306 307 # For bootchart to read the /proc/$pid/cmdline file of each process, 308 # we need to have following line to allow init to have access 309 # to different domains. 310 r_dir_file(init, domain) 311 312 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 313 # setexec is for services with seclabel options. 314 # setfscreate is for labeling directories and socket files. 315 # setsockcreate is for labeling local/unix domain sockets. 316 allow init self:process { setexec setfscreate setsockcreate }; 317 318 # Get file context 319 allow init file_contexts_file:file r_file_perms; 320 321 # sepolicy access 322 allow init sepolicy_file:file r_file_perms; 323 324 # Perform SELinux access checks on setting properties. 325 selinux_check_access(init) 326 327 # Ask the kernel for the new context on services to label their sockets. 328 allow init kernel:security compute_create; 329 330 # Create sockets for the services. 331 allow init domain:unix_stream_socket { create bind setopt }; 332 allow init domain:unix_dgram_socket { create bind setopt }; 333 334 # Create /data/property and files within it. 335 allow init property_data_file:dir create_dir_perms; 336 allow init property_data_file:file create_file_perms; 337 338 # Set any property. 339 allow init property_type:property_service set; 340 341 # Send an SELinux userspace denial to the kernel audit subsystem, 342 # so it can be picked up and processed by logd. These denials are 343 # generated when an attempt to set a property is denied by policy. 344 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; 345 allow init self:capability audit_write; 346 347 # Run "ifup lo" to bring up the localhost interface 348 allow init self:udp_socket { create ioctl }; 349 # in addition to unpriv ioctls granted to all domains, init also needs: 350 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; 351 allow init self:capability net_raw; 352 353 # This line seems suspect, as it should not really need to 354 # set scheduling parameters for a kernel domain task. 355 allow init kernel:process setsched; 356 357 # swapon() needs write access to swap device 358 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 359 allow init swap_block_device:blk_file rw_file_perms; 360 361 # Read from /dev/hw_random if present. 362 # system/core/init/init.c - mix_hwrng_into_linux_rng_action 363 allow init hw_random_device:chr_file r_file_perms; 364 365 # Create and access /dev files without a specific type, 366 # e.g. /dev/.coldboot_done, /dev/.booting 367 # TODO: Move these files into their own type unless they are 368 # only ever accessed by init. 369 allow init device:file create_file_perms; 370 371 # keychord configuration 372 allow init self:capability sys_tty_config; 373 allow init keychord_device:chr_file rw_file_perms; 374 375 # Access device mapper for setting up dm-verity 376 allow init dm_device:chr_file rw_file_perms; 377 allow init dm_device:blk_file rw_file_perms; 378 379 # Access metadata block device for storing dm-verity state 380 allow init metadata_block_device:blk_file rw_file_perms; 381 382 # Read /sys/fs/pstore/console-ramoops to detect restarts caused 383 # by dm-verity detecting corrupted blocks 384 allow init pstorefs:dir search; 385 allow init pstorefs:file r_file_perms; 386 allow init kernel:system syslog_read; 387 388 # linux keyring configuration 389 allow init init:key { write search setattr }; 390 391 # Allow init to create /data/unencrypted 392 allow init unencrypted_data_file:dir create_dir_perms; 393 394 # Allow init to write to /proc/sys/vm/overcommit_memory 395 allow init proc_overcommit_memory:file { write }; 396 397 unix_socket_connect(init, vold, vold) 398 399 # Raw writes to misc block device 400 allow init misc_block_device:blk_file w_file_perms; 401 402 r_dir_file(init, system_file) 403 r_dir_file(init, vendor_file_type) 404 allow init proc_meminfo:file r_file_perms; 405 406 allow init system_data_file:file { getattr read }; 407 allow init system_data_file:lnk_file r_file_perms; 408 409 # For init to be able to run shell scripts from vendor 410 allow init vendor_shell_exec:file execute; 411 412 ### 413 ### neverallow rules 414 ### 415 416 # The init domain is only entered via an exec based transition from the 417 # kernel domain, never via setcon(). 418 neverallow domain init:process dyntransition; 419 neverallow { domain -kernel } init:process transition; 420 neverallow init { file_type fs_type -init_exec }:file entrypoint; 421 422 # Never read/follow symlinks created by shell or untrusted apps. 423 neverallow init shell_data_file:lnk_file read; 424 neverallow init app_data_file:lnk_file read; 425 426 # init should never execute a program without changing to another domain. 427 neverallow init { file_type fs_type }:file execute_no_trans; 428 429 # Init never adds or uses services via service_manager. 430 neverallow init service_manager_type:service_manager { add find }; 431 neverallow init servicemanager:service_manager list; 432 433 # Init should not be creating subdirectories in /data/local/tmp 434 neverallow init shell_data_file:dir { write add_name remove_name }; 435
