1 # init is its own domain. 2 type init, domain, mlstrustedsubject; 3 4 # The init domain is entered by execing init. 5 type init_exec, exec_type, file_type; 6 7 # /dev/__null__ node created by init. 8 allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; 9 10 # 11 # init direct restorecon calls. 12 # 13 # /dev/kmsg 14 allow init tmpfs:chr_file relabelfrom; 15 allow init kmsg_device:chr_file { write relabelto }; 16 # /dev/kmsg_debug 17 userdebug_or_eng(` 18 allow init kmsg_debug_device:chr_file { write relabelto }; 19 ') 20 # /dev/__properties__ 21 allow init properties_device:dir relabelto; 22 allow init properties_serial:file { write relabelto }; 23 allow init property_type:file { create_file_perms relabelto }; 24 # /dev/__properties__/property_info 25 allow init properties_device:file create_file_perms; 26 allow init property_info:file relabelto; 27 # /dev/event-log-tags 28 allow init device:file relabelfrom; 29 allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; 30 # /dev/socket 31 allow init { device socket_device }:dir relabelto; 32 # /dev/random, /dev/urandom 33 allow init random_device:chr_file relabelto; 34 # /dev/device-mapper, /dev/block(/.*)? 35 allow init tmpfs:{ chr_file blk_file } relabelfrom; 36 allow init tmpfs:blk_file getattr; 37 allow init block_device:{ dir blk_file lnk_file } relabelto; 38 allow init dm_device:{ chr_file blk_file } relabelto; 39 allow init kernel:fd use; 40 # restorecon for early mount device symlinks 41 allow init tmpfs:lnk_file { getattr read relabelfrom }; 42 allow init { 43 misc_block_device 44 recovery_block_device 45 system_block_device 46 }:{ blk_file lnk_file } relabelto; 47 48 # setrlimit 49 allow init self:global_capability_class_set sys_resource; 50 51 # Remove /dev/.booting, created before initial policy load or restorecon /dev. 52 allow init tmpfs:file unlink; 53 54 # Access pty created for fsck. 55 allow init devpts:chr_file { read write open }; 56 57 # Create /dev/fscklogs files. 58 allow init fscklogs:file create_file_perms; 59 60 # Access /dev/__null__ node created prior to initial policy load. 61 allow init tmpfs:chr_file write; 62 63 # Access /dev/console. 64 allow init console_device:chr_file rw_file_perms; 65 66 # Access /dev/tty0. 67 allow init tty_device:chr_file rw_file_perms; 68 69 # Call mount(2). 70 allow init self:global_capability_class_set sys_admin; 71 72 # Create and mount on directories in /. 73 allow init rootfs:dir create_dir_perms; 74 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton; 75 allow init cgroup_bpf:dir { create mounton }; 76 77 # Mount bpf fs on sys/fs/bpf 78 allow init fs_bpf:dir mounton; 79 80 # Mount on /dev/usb-ffs/adb. 81 allow init device:dir mounton; 82 83 # Create and remove symlinks in /. 84 allow init rootfs:lnk_file { create unlink }; 85 86 # Mount debugfs on /sys/kernel/debug. 87 allow init sysfs:dir mounton; 88 89 # Create cgroups mount points in tmpfs and mount cgroups on them. 90 allow init tmpfs:dir create_dir_perms; 91 allow init tmpfs:dir mounton; 92 allow init cgroup:dir create_dir_perms; 93 r_dir_file(init, cgroup) 94 allow init cpuctl_device:dir { create mounton }; 95 96 # /config 97 allow init configfs:dir mounton; 98 allow init configfs:dir create_dir_perms; 99 allow init configfs:{ file lnk_file } create_file_perms; 100 101 # /metadata 102 allow init metadata_file:dir mounton; 103 104 # Use tmpfs as /data, used for booting when /data is encrypted 105 allow init tmpfs:dir relabelfrom; 106 107 # Create directories under /dev/cpuctl after chowning it to system. 108 allow init self:global_capability_class_set dac_override; 109 110 # Set system clock. 111 allow init self:global_capability_class_set sys_time; 112 113 allow init self:global_capability_class_set { sys_rawio mknod }; 114 115 # Mounting filesystems from block devices. 116 allow init dev_type:blk_file r_file_perms; 117 118 # Mounting filesystems. 119 # Only allow relabelto for types used in context= mount options, 120 # which should all be assigned the contextmount_type attribute. 121 # This can be done in device-specific policy via type or typeattribute 122 # declarations. 123 allow init fs_type:filesystem ~relabelto; 124 allow init unlabeled:filesystem ~relabelto; 125 allow init contextmount_type:filesystem relabelto; 126 127 # Allow read-only access to context= mounted filesystems. 128 allow init contextmount_type:dir r_dir_perms; 129 allow init contextmount_type:notdevfile_class_set r_file_perms; 130 131 # restorecon /adb_keys or any other rootfs files and directories to a more 132 # specific type. 133 allow init rootfs:{ dir file } relabelfrom; 134 135 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 136 # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 137 # system/core/init.rc requires at least cache_file and data_file_type. 138 # init.<board>.rc files often include device-specific types, so 139 # we just allow all file types except /system files here. 140 allow init self:global_capability_class_set { chown fowner fsetid }; 141 142 allow init { 143 file_type 144 -app_data_file 145 -exec_type 146 -misc_logd_file 147 -nativetest_data_file 148 -system_app_data_file 149 -system_file 150 -vendor_file_type 151 }:dir { create search getattr open read setattr ioctl }; 152 153 allow init { 154 file_type 155 -app_data_file 156 -exec_type 157 -keystore_data_file 158 -misc_logd_file 159 -nativetest_data_file 160 -shell_data_file 161 -system_app_data_file 162 -system_file 163 -vendor_file_type 164 -vold_data_file 165 }:dir { write add_name remove_name rmdir relabelfrom }; 166 167 allow init { 168 file_type 169 -app_data_file 170 -runtime_event_log_tags_file 171 -exec_type 172 -keystore_data_file 173 -misc_logd_file 174 -nativetest_data_file 175 -shell_data_file 176 -system_app_data_file 177 -system_file 178 -vendor_file_type 179 -vold_data_file 180 }:file { create getattr open read write setattr relabelfrom unlink }; 181 182 allow init { 183 file_type 184 -app_data_file 185 -exec_type 186 -keystore_data_file 187 -misc_logd_file 188 -nativetest_data_file 189 -shell_data_file 190 -system_app_data_file 191 -system_file 192 -vendor_file_type 193 -vold_data_file 194 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 195 196 allow init { 197 file_type 198 -app_data_file 199 -exec_type 200 -keystore_data_file 201 -misc_logd_file 202 -nativetest_data_file 203 -shell_data_file 204 -system_app_data_file 205 -system_file 206 -vendor_file_type 207 -vold_data_file 208 }:lnk_file { create getattr setattr relabelfrom unlink }; 209 210 allow init cache_file:lnk_file r_file_perms; 211 212 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; 213 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; 214 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; 215 allow init dev_type:dir create_dir_perms; 216 allow init dev_type:lnk_file create; 217 218 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on 219 allow init debugfs_tracing:file w_file_perms; 220 221 # Setup and control wifi event tracing (see wifi-events.rc) 222 allow init debugfs_tracing_instances:dir create_dir_perms; 223 allow init debugfs_tracing_instances:file w_file_perms; 224 allow init debugfs_wifi_tracing:file w_file_perms; 225 226 # chown/chmod on pseudo files. 227 allow init { 228 fs_type 229 -contextmount_type 230 -proc 231 -sdcard_type 232 -sysfs_type 233 -rootfs 234 }:file { open read setattr }; 235 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; 236 237 # init should not be able to read or open generic devices 238 # TODO: auditing to see if this can be deleted entirely 239 allow init { 240 dev_type 241 -kmem_device 242 -port_device 243 -device 244 -vndbinder_device 245 }:chr_file { read open }; 246 auditallow init { 247 dev_type 248 -alarm_device 249 -ashmem_device 250 -binder_device 251 -console_device 252 -device 253 -devpts 254 -dm_device 255 -hwbinder_device 256 -hw_random_device 257 -keychord_device 258 -kmem_device 259 -kmsg_device 260 -null_device 261 -owntty_device 262 -port_device 263 -ptmx_device 264 -random_device 265 -zero_device 266 }:chr_file { read open }; 267 268 # chown/chmod on devices. 269 allow init { dev_type -kmem_device -port_device }:chr_file setattr; 270 271 # Unlabeled file access for upgrades from 4.2. 272 allow init unlabeled:dir { create_dir_perms relabelfrom }; 273 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 274 275 # Any operation that can modify the kernel ring buffer, e.g. clear 276 # or a read that consumes the messages that were read. 277 allow init kernel:system syslog_mod; 278 allow init self:global_capability2_class_set syslog; 279 280 # init access to /proc. 281 r_dir_file(init, proc_net) 282 283 allow init { 284 proc_cmdline 285 proc_diskstats 286 proc_kmsg # Open /proc/kmsg for logd service. 287 proc_meminfo 288 proc_stat # Read /proc/stat for bootchart. 289 proc_uptime 290 proc_version 291 }:file r_file_perms; 292 293 allow init { 294 proc_abi 295 proc_dirty 296 proc_hostname 297 proc_hung_task 298 proc_extra_free_kbytes 299 proc_net 300 proc_max_map_count 301 proc_min_free_order_shift 302 proc_overcommit_memory 303 proc_panic 304 proc_page_cluster 305 proc_perf 306 proc_sched 307 proc_sysrq 308 }:file w_file_perms; 309 310 allow init { 311 proc_security 312 }:file rw_file_perms; 313 314 # init access to /sys files. 315 allow init { 316 sysfs_android_usb 317 sysfs_leds 318 sysfs_power 319 }:file w_file_perms; 320 321 allow init { 322 sysfs_dt_firmware_android 323 }:file r_file_perms; 324 325 allow init { 326 sysfs_zram 327 }:file rw_file_perms; 328 329 # Allow init to write to vibrator/trigger 330 allow init sysfs_vibrator:file w_file_perms; 331 332 # init chmod/chown access to /sys files. 333 allow init { 334 sysfs_android_usb 335 sysfs_devices_system_cpu 336 sysfs_ipv4 337 sysfs_leds 338 sysfs_lowmemorykiller 339 sysfs_power 340 sysfs_vibrator 341 sysfs_wake_lock 342 }:file setattr; 343 344 # Set usermodehelpers. 345 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; 346 347 allow init self:global_capability_class_set net_admin; 348 349 # Reboot. 350 allow init self:global_capability_class_set sys_boot; 351 352 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". 353 # Init will also walk through the directory as part of a recursive restorecon. 354 allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; 355 allow init misc_logd_file:file { open create getattr setattr write }; 356 357 # Support "adb shell stop" 358 allow init self:global_capability_class_set kill; 359 allow init domain:process { getpgid sigkill signal }; 360 361 # Init creates keystore's directory on boot, and walks through 362 # the directory as part of a recursive restorecon. 363 allow init keystore_data_file:dir { open create read getattr setattr search }; 364 allow init keystore_data_file:file { getattr }; 365 366 # Init creates vold's directory on boot, and walks through 367 # the directory as part of a recursive restorecon. 368 allow init vold_data_file:dir { open create read getattr setattr search }; 369 allow init vold_data_file:file { getattr }; 370 371 # Init creates /data/local/tmp at boot 372 allow init shell_data_file:dir { open create read getattr setattr search }; 373 allow init shell_data_file:file { getattr }; 374 375 # Set UID, GID, and adjust capability bounding set for services. 376 allow init self:global_capability_class_set { setuid setgid setpcap }; 377 378 # For bootchart to read the /proc/$pid/cmdline file of each process, 379 # we need to have following line to allow init to have access 380 # to different domains. 381 r_dir_file(init, domain) 382 383 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 384 # setexec is for services with seclabel options. 385 # setfscreate is for labeling directories and socket files. 386 # setsockcreate is for labeling local/unix domain sockets. 387 allow init self:process { setexec setfscreate setsockcreate }; 388 389 # Get file context 390 allow init file_contexts_file:file r_file_perms; 391 392 # sepolicy access 393 allow init sepolicy_file:file r_file_perms; 394 395 # Perform SELinux access checks on setting properties. 396 selinux_check_access(init) 397 398 # Ask the kernel for the new context on services to label their sockets. 399 allow init kernel:security compute_create; 400 401 # Create sockets for the services. 402 allow init domain:unix_stream_socket { create bind setopt }; 403 allow init domain:unix_dgram_socket { create bind setopt }; 404 405 # Create /data/property and files within it. 406 allow init property_data_file:dir create_dir_perms; 407 allow init property_data_file:file create_file_perms; 408 409 # Set any property. 410 allow init property_type:property_service set; 411 412 # Send an SELinux userspace denial to the kernel audit subsystem, 413 # so it can be picked up and processed by logd. These denials are 414 # generated when an attempt to set a property is denied by policy. 415 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; 416 allow init self:global_capability_class_set audit_write; 417 418 # Run "ifup lo" to bring up the localhost interface 419 allow init self:udp_socket { create ioctl }; 420 # in addition to unpriv ioctls granted to all domains, init also needs: 421 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; 422 allow init self:global_capability_class_set net_raw; 423 424 # This line seems suspect, as it should not really need to 425 # set scheduling parameters for a kernel domain task. 426 allow init kernel:process setsched; 427 428 # swapon() needs write access to swap device 429 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 430 allow init swap_block_device:blk_file rw_file_perms; 431 432 # Read from /dev/hw_random if present. 433 # system/core/init/init.c - mix_hwrng_into_linux_rng_action 434 allow init hw_random_device:chr_file r_file_perms; 435 436 # Create and access /dev files without a specific type, 437 # e.g. /dev/.coldboot_done, /dev/.booting 438 # TODO: Move these files into their own type unless they are 439 # only ever accessed by init. 440 allow init device:file create_file_perms; 441 442 # keychord configuration 443 allow init self:global_capability_class_set sys_tty_config; 444 allow init keychord_device:chr_file rw_file_perms; 445 446 # Access device mapper for setting up dm-verity 447 allow init dm_device:chr_file rw_file_perms; 448 allow init dm_device:blk_file rw_file_perms; 449 450 # Access metadata block device for storing dm-verity state 451 allow init metadata_block_device:blk_file rw_file_perms; 452 453 # Read /sys/fs/pstore/console-ramoops to detect restarts caused 454 # by dm-verity detecting corrupted blocks 455 allow init pstorefs:dir search; 456 allow init pstorefs:file r_file_perms; 457 allow init kernel:system syslog_read; 458 459 # linux keyring configuration 460 allow init init:key { write search setattr }; 461 462 # Allow init to create /data/unencrypted 463 allow init unencrypted_data_file:dir create_dir_perms; 464 465 # Allow init to write to /proc/sys/vm/overcommit_memory 466 allow init proc_overcommit_memory:file { write }; 467 468 # Raw writes to misc block device 469 allow init misc_block_device:blk_file w_file_perms; 470 471 r_dir_file(init, system_file) 472 r_dir_file(init, vendor_file_type) 473 474 allow init system_data_file:file { getattr read }; 475 allow init system_data_file:lnk_file r_file_perms; 476 477 # For init to be able to run shell scripts from vendor 478 allow init vendor_shell_exec:file execute; 479 480 # Metadata setup 481 allow init vold_metadata_file:dir create_dir_perms; 482 allow init vold_metadata_file:file getattr; 483 484 ### 485 ### neverallow rules 486 ### 487 488 # The init domain is only entered via an exec based transition from the 489 # kernel domain, never via setcon(). 490 neverallow domain init:process dyntransition; 491 neverallow { domain -kernel } init:process transition; 492 neverallow init { file_type fs_type -init_exec }:file entrypoint; 493 494 # Never read/follow symlinks created by shell or untrusted apps. 495 neverallow init shell_data_file:lnk_file read; 496 neverallow init app_data_file:lnk_file read; 497 498 # init should never execute a program without changing to another domain. 499 neverallow init { file_type fs_type }:file execute_no_trans; 500 501 # Init never adds or uses services via service_manager. 502 neverallow init service_manager_type:service_manager { add find }; 503 neverallow init servicemanager:service_manager list; 504 505 # Init should not be creating subdirectories in /data/local/tmp 506 neverallow init shell_data_file:dir { write add_name remove_name }; 507 508 # Init should not access sysfs node that are not explicitly labeled. 509 neverallow init sysfs:file { open read write }; 510
