1 # Life begins with the kernel. 2 type kernel, domain, mlstrustedsubject; 3 4 allow kernel self:capability sys_nice; 5 6 # Root fs. 7 r_dir_file(kernel, rootfs) 8 r_dir_file(kernel, proc) 9 10 # Get SELinux enforcing status. 11 allow kernel selinuxfs:dir r_dir_perms; 12 allow kernel selinuxfs:file r_file_perms; 13 14 # Get file contexts during first stage 15 allow kernel file_contexts_file:file r_file_perms; 16 17 # Allow init relabel itself. 18 allow kernel rootfs:file relabelfrom; 19 allow kernel init_exec:file relabelto; 20 # TODO: investigate why we need this. 21 allow kernel init:process share; 22 23 # cgroup filesystem initialization prior to setting the cgroup root directory label. 24 allow kernel unlabeled:dir search; 25 26 # Mount usbfs. 27 allow kernel usbfs:filesystem mount; 28 allow kernel usbfs:dir search; 29 30 # Initial setenforce by init prior to switching to init domain. 31 # We use dontaudit instead of allow to prevent a kernel spawned userspace 32 # process from turning off SELinux once enabled. 33 dontaudit kernel self:security setenforce; 34 35 # Write to /proc/1/oom_adj prior to switching to init domain. 36 allow kernel self:capability sys_resource; 37 38 # Init reboot before switching selinux domains under certain error 39 # conditions. Allow it. 40 # As part of rebooting, init writes "u" to /proc/sysrq-trigger to 41 # remount filesystems read-only. /data is not mounted at this point, 42 # so we could ignore this. For now, we allow it. 43 allow kernel self:capability sys_boot; 44 allow kernel proc_sysrq:file w_file_perms; 45 46 # Allow writing to /dev/kmsg which was created prior to loading policy. 47 allow kernel tmpfs:chr_file write; 48 49 # Set checkreqprot by init.rc prior to switching to init domain. 50 allow kernel selinuxfs:file write; 51 allow kernel self:security setcheckreqprot; 52 53 # MTP sync (b/15835289) 54 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 55 allow kernel priv_app:fd use; 56 allow kernel sdcard_type:file { read write }; 57 58 # Allow the kernel to read OBB files from app directories. (b/17428116) 59 # Kernel thread "loop0" reads a vold supplied file descriptor. 60 # Fixes CTS tests: 61 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 62 # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 63 allow kernel vold:fd use; 64 allow kernel app_data_file:file read; 65 allow kernel asec_image_file:file read; 66 67 # Allow reading loop device in update_engine_unittests. (b/28319454) 68 userdebug_or_eng(` 69 allow kernel update_engine_data_file:file read; 70 allow kernel nativetest_data_file:file read; 71 ') 72 73 # Access to /data/media. 74 # This should be removed if sdcardfs is modified to alter the secontext for its 75 # accesses to the underlying FS. 76 allow kernel media_rw_data_file:dir create_dir_perms; 77 allow kernel media_rw_data_file:file create_file_perms; 78 79 # Access to /data/misc/vold/virtual_disk. 80 allow kernel vold_data_file:file read; 81 82 ### 83 ### neverallow rules 84 ### 85 86 # The initial task starts in the kernel domain (assigned via 87 # initial_sid_contexts), but nothing ever transitions to it. 88 neverallow * kernel:process { transition dyntransition }; 89 90 # The kernel domain is never entered via an exec, nor should it 91 # ever execute a program outside the rootfs without changing to another domain. 92 # If you encounter an execute_no_trans denial on the kernel domain, then 93 # possible causes include: 94 # - The program is a kernel usermodehelper. In this case, define a domain 95 # for the program and domain_auto_trans() to it. 96 # - You are running an exploit which switched to the init task credentials 97 # and is then trying to exec a shell or other program. You lose! 98 neverallow kernel *:file { entrypoint execute_no_trans }; 99 100 # the kernel should not be accessing files owned by other users. 101 # Instead of adding dac_{read_search,override}, fix the unix permissions 102 # on files being accessed. 103 neverallow kernel self:capability { dac_override dac_read_search }; 104
