1 # init is its own domain. 2 type init, domain, mlstrustedsubject; 3 4 # The init domain is entered by execing init. 5 type init_exec, exec_type, file_type; 6 7 # /dev/__null__ node created by init. 8 allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; 9 10 # 11 # init direct restorecon calls. 12 # 13 # /dev/kmsg 14 allow init tmpfs:chr_file relabelfrom; 15 allow init kmsg_device:chr_file { write relabelto }; 16 # /dev/__properties__ 17 allow init properties_device:dir relabelto; 18 allow init properties_serial:file { write relabelto }; 19 allow init property_type:file { create_file_perms relabelto }; 20 # /dev/event-log-tags 21 allow init device:file relabelfrom; 22 allow init runtime_event_log_tags_file:file { open write setattr relabelto }; 23 # /dev/socket 24 allow init { device socket_device }:dir relabelto; 25 # /dev/random, /dev/urandom 26 allow init random_device:chr_file relabelto; 27 # /dev/device-mapper, /dev/block(/.*)? 28 allow init tmpfs:{ chr_file blk_file } relabelfrom; 29 allow init tmpfs:blk_file getattr; 30 allow init block_device:{ dir blk_file lnk_file } relabelto; 31 allow init dm_device:{ chr_file blk_file } relabelto; 32 allow init kernel:fd use; 33 # restorecon for early mount device symlinks 34 allow init tmpfs:lnk_file { getattr read relabelfrom }; 35 allow init system_block_device:{ blk_file lnk_file } relabelto; 36 37 # setrlimit 38 allow init self:capability sys_resource; 39 40 # Remove /dev/.booting, created before initial policy load or restorecon /dev. 41 allow init tmpfs:file unlink; 42 43 # Access pty created for fsck. 44 allow init devpts:chr_file { read write open }; 45 46 # Create /dev/fscklogs files. 47 allow init fscklogs:file create_file_perms; 48 49 # Access /dev/__null__ node created prior to initial policy load. 50 allow init tmpfs:chr_file write; 51 52 # Access /dev/console. 53 allow init console_device:chr_file rw_file_perms; 54 55 # Access /dev/tty0. 56 allow init tty_device:chr_file rw_file_perms; 57 58 # Call mount(2). 59 allow init self:capability sys_admin; 60 61 # Create and mount on directories in /. 62 allow init rootfs:dir create_dir_perms; 63 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton; 64 65 # Mount on /dev/usb-ffs/adb. 66 allow init device:dir mounton; 67 68 # Create and remove symlinks in /. 69 allow init rootfs:lnk_file { create unlink }; 70 71 # Mount debugfs on /sys/kernel/debug. 72 allow init sysfs:dir mounton; 73 74 # Create cgroups mount points in tmpfs and mount cgroups on them. 75 allow init tmpfs:dir create_dir_perms; 76 allow init tmpfs:dir mounton; 77 allow init cgroup:dir create_dir_perms; 78 r_dir_file(init, cgroup) 79 allow init cpuctl_device:dir { create mounton }; 80 81 # /config 82 allow init configfs:dir mounton; 83 allow init configfs:dir create_dir_perms; 84 85 # Use tmpfs as /data, used for booting when /data is encrypted 86 allow init tmpfs:dir relabelfrom; 87 88 # Create directories under /dev/cpuctl after chowning it to system. 89 allow init self:capability dac_override; 90 91 # Set system clock. 92 allow init self:capability sys_time; 93 94 allow init self:capability { sys_rawio mknod }; 95 96 # Mounting filesystems from block devices. 97 allow init dev_type:blk_file r_file_perms; 98 99 # Mounting filesystems. 100 # Only allow relabelto for types used in context= mount options, 101 # which should all be assigned the contextmount_type attribute. 102 # This can be done in device-specific policy via type or typeattribute 103 # declarations. 104 allow init fs_type:filesystem ~relabelto; 105 allow init unlabeled:filesystem ~relabelto; 106 allow init contextmount_type:filesystem relabelto; 107 108 # Allow read-only access to context= mounted filesystems. 109 allow init contextmount_type:dir r_dir_perms; 110 allow init contextmount_type:notdevfile_class_set r_file_perms; 111 112 # restorecon /adb_keys or any other rootfs files and directories to a more 113 # specific type. 114 allow init rootfs:{ dir file } relabelfrom; 115 116 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 117 # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 118 # system/core/init.rc requires at least cache_file and data_file_type. 119 # init.<board>.rc files often include device-specific types, so 120 # we just allow all file types except /system files here. 121 allow init self:capability { chown fowner fsetid }; 122 123 allow init { 124 file_type 125 -app_data_file 126 -exec_type 127 -misc_logd_file 128 -system_app_data_file 129 -system_file 130 -vendor_file_type 131 }:dir { create search getattr open read setattr ioctl }; 132 133 allow init { 134 file_type 135 -app_data_file 136 -exec_type 137 -keystore_data_file 138 -misc_logd_file 139 -shell_data_file 140 -system_app_data_file 141 -system_file 142 -vendor_file_type 143 -vold_data_file 144 }:dir { write add_name remove_name rmdir relabelfrom }; 145 146 allow init { 147 file_type 148 -app_data_file 149 -runtime_event_log_tags_file 150 -exec_type 151 -keystore_data_file 152 -misc_logd_file 153 -shell_data_file 154 -system_app_data_file 155 -system_file 156 -vendor_file_type 157 -vold_data_file 158 }:file { create getattr open read write setattr relabelfrom unlink }; 159 160 allow init { 161 file_type 162 -app_data_file 163 -exec_type 164 -keystore_data_file 165 -misc_logd_file 166 -shell_data_file 167 -system_app_data_file 168 -system_file 169 -vendor_file_type 170 -vold_data_file 171 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 172 173 allow init { 174 file_type 175 -app_data_file 176 -exec_type 177 -keystore_data_file 178 -misc_logd_file 179 -shell_data_file 180 -system_app_data_file 181 -system_file 182 -vendor_file_type 183 -vold_data_file 184 }:lnk_file { create getattr setattr relabelfrom unlink }; 185 186 allow init cache_file:lnk_file r_file_perms; 187 188 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; 189 allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom }; 190 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; 191 allow init dev_type:dir create_dir_perms; 192 allow init dev_type:lnk_file create; 193 194 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on 195 allow init tracing_shell_writable:file w_file_perms; 196 197 # Setup and control wifi event tracing (see wifi-events.rc) 198 allow init debugfs_tracing_instances:dir create_dir_perms; 199 allow init debugfs_tracing_instances:file w_file_perms; 200 allow init debugfs_wifi_tracing:file w_file_perms; 201 202 # chown/chmod on pseudo files. 203 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; 204 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; 205 206 # init should not be able to read or open generic devices 207 # TODO: auditing to see if this can be deleted entirely 208 allow init { 209 dev_type 210 -kmem_device 211 -port_device 212 -device 213 -vndbinder_device 214 }:chr_file { read open }; 215 auditallow init { 216 dev_type 217 -alarm_device 218 -ashmem_device 219 -binder_device 220 -console_device 221 -device 222 -devpts 223 -dm_device 224 -hwbinder_device 225 -hw_random_device 226 -keychord_device 227 -kmem_device 228 -kmsg_device 229 -null_device 230 -owntty_device 231 -port_device 232 -ptmx_device 233 -random_device 234 -zero_device 235 }:chr_file { read open }; 236 237 # chown/chmod on devices. 238 allow init { dev_type -kmem_device -port_device }:chr_file setattr; 239 240 # Unlabeled file access for upgrades from 4.2. 241 allow init unlabeled:dir { create_dir_perms relabelfrom }; 242 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 243 244 # Any operation that can modify the kernel ring buffer, e.g. clear 245 # or a read that consumes the messages that were read. 246 allow init kernel:system syslog_mod; 247 allow init self:capability2 syslog; 248 249 # Set usermodehelpers and /proc security settings. 250 allow init usermodehelper:file rw_file_perms; 251 allow init proc_security:file rw_file_perms; 252 253 # Write to /proc/sys/kernel/panic_on_oops. 254 r_dir_file(init, proc) 255 allow init proc:file w_file_perms; 256 257 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. 258 r_dir_file(init, proc_net) 259 allow init proc_net:file w_file_perms; 260 allow init self:capability net_admin; 261 262 # Write to /proc/sysrq-trigger. 263 allow init proc_sysrq:file w_file_perms; 264 265 # Read /proc/stat for bootchart. 266 allow init proc_stat:file r_file_perms; 267 268 # Reboot. 269 allow init self:capability sys_boot; 270 271 # Write to sysfs nodes. 272 allow init sysfs_type:dir r_dir_perms; 273 allow init sysfs_type:lnk_file read; 274 allow init sysfs_type:file rw_file_perms; 275 276 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". 277 # Init will also walk through the directory as part of a recursive restorecon. 278 allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; 279 allow init misc_logd_file:file { open create getattr setattr write }; 280 281 # Support "adb shell stop" 282 allow init self:capability kill; 283 allow init domain:process { sigkill signal }; 284 285 # Init creates keystore's directory on boot, and walks through 286 # the directory as part of a recursive restorecon. 287 allow init keystore_data_file:dir { open create read getattr setattr search }; 288 allow init keystore_data_file:file { getattr }; 289 290 # Init creates vold's directory on boot, and walks through 291 # the directory as part of a recursive restorecon. 292 allow init vold_data_file:dir { open create read getattr setattr search }; 293 allow init vold_data_file:file { getattr }; 294 295 # Init creates /data/local/tmp at boot 296 allow init shell_data_file:dir { open create read getattr setattr search }; 297 allow init shell_data_file:file { getattr }; 298 299 # Set UID, GID, and adjust capability bounding set for services. 300 allow init self:capability { setuid setgid setpcap }; 301 302 # For bootchart to read the /proc/$pid/cmdline file of each process, 303 # we need to have following line to allow init to have access 304 # to different domains. 305 r_dir_file(init, domain) 306 307 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 308 # setexec is for services with seclabel options. 309 # setfscreate is for labeling directories and socket files. 310 # setsockcreate is for labeling local/unix domain sockets. 311 allow init self:process { setexec setfscreate setsockcreate }; 312 313 # Get file context 314 allow init file_contexts_file:file r_file_perms; 315 316 # sepolicy access 317 allow init sepolicy_file:file r_file_perms; 318 319 # Perform SELinux access checks on setting properties. 320 selinux_check_access(init) 321 322 # Ask the kernel for the new context on services to label their sockets. 323 allow init kernel:security compute_create; 324 325 # Create sockets for the services. 326 allow init domain:unix_stream_socket { create bind }; 327 allow init domain:unix_dgram_socket { create bind }; 328 329 # Create /data/property and files within it. 330 allow init property_data_file:dir create_dir_perms; 331 allow init property_data_file:file create_file_perms; 332 333 # Set any property. 334 allow init property_type:property_service set; 335 336 # Send an SELinux userspace denial to the kernel audit subsystem, 337 # so it can be picked up and processed by logd. These denials are 338 # generated when an attempt to set a property is denied by policy. 339 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; 340 allow init self:capability audit_write; 341 342 # Run "ifup lo" to bring up the localhost interface 343 allow init self:udp_socket { create ioctl }; 344 # in addition to unpriv ioctls granted to all domains, init also needs: 345 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; 346 allow init self:capability net_raw; 347 348 # This line seems suspect, as it should not really need to 349 # set scheduling parameters for a kernel domain task. 350 allow init kernel:process setsched; 351 352 # swapon() needs write access to swap device 353 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 354 allow init swap_block_device:blk_file rw_file_perms; 355 356 # Read from /dev/hw_random if present. 357 # system/core/init/init.c - mix_hwrng_into_linux_rng_action 358 allow init hw_random_device:chr_file r_file_perms; 359 360 # Create and access /dev files without a specific type, 361 # e.g. /dev/.coldboot_done, /dev/.booting 362 # TODO: Move these files into their own type unless they are 363 # only ever accessed by init. 364 allow init device:file create_file_perms; 365 366 # keychord configuration 367 allow init self:capability sys_tty_config; 368 allow init keychord_device:chr_file rw_file_perms; 369 370 # Access device mapper for setting up dm-verity 371 allow init dm_device:chr_file rw_file_perms; 372 allow init dm_device:blk_file rw_file_perms; 373 374 # Access metadata block device for storing dm-verity state 375 allow init metadata_block_device:blk_file rw_file_perms; 376 377 # Read /sys/fs/pstore/console-ramoops to detect restarts caused 378 # by dm-verity detecting corrupted blocks 379 allow init pstorefs:dir search; 380 allow init pstorefs:file r_file_perms; 381 allow init kernel:system syslog_read; 382 383 # linux keyring configuration 384 allow init init:key { write search setattr }; 385 386 # Allow init to create /data/unencrypted 387 allow init unencrypted_data_file:dir create_dir_perms; 388 389 # Allow init to write to /proc/sys/vm/overcommit_memory 390 allow init proc_overcommit_memory:file { write }; 391 392 unix_socket_connect(init, vold, vold) 393 394 # Raw writes to misc block device 395 allow init misc_block_device:blk_file w_file_perms; 396 397 r_dir_file(init, system_file) 398 r_dir_file(init, vendor_file_type) 399 allow init proc_meminfo:file r_file_perms; 400 401 allow init system_data_file:file { getattr read }; 402 allow init system_data_file:lnk_file r_file_perms; 403 404 # For init to be able to run shell scripts from vendor 405 allow init vendor_shell_exec:file execute; 406 407 ### 408 ### neverallow rules 409 ### 410 411 # The init domain is only entered via an exec based transition from the 412 # kernel domain, never via setcon(). 413 neverallow domain init:process dyntransition; 414 neverallow { domain -kernel } init:process transition; 415 neverallow init { file_type fs_type -init_exec }:file entrypoint; 416 417 # Never read/follow symlinks created by shell or untrusted apps. 418 neverallow init shell_data_file:lnk_file read; 419 neverallow init app_data_file:lnk_file read; 420 421 # init should never execute a program without changing to another domain. 422 neverallow init { file_type fs_type }:file execute_no_trans; 423 424 # Init never adds or uses services via service_manager. 425 neverallow init service_manager_type:service_manager { add find }; 426 neverallow init servicemanager:service_manager list; 427 428 # Init should not be creating subdirectories in /data/local/tmp 429 neverallow init shell_data_file:dir { write add_name remove_name }; 430
