1# Life begins with the kernel. 2type kernel, domain, mlstrustedsubject; 3 4allow kernel self:global_capability_class_set sys_nice; 5 6# Root fs. 7r_dir_file(kernel, rootfs) 8allow kernel proc_cmdline:file r_file_perms; 9 10# Get SELinux enforcing status. 11allow kernel selinuxfs:dir r_dir_perms; 12allow kernel selinuxfs:file r_file_perms; 13 14# Get file contexts during first stage 15allow kernel file_contexts_file:file r_file_perms; 16 17# Allow init relabel itself. 18allow kernel rootfs:file relabelfrom; 19allow kernel init_exec:file relabelto; 20# TODO: investigate why we need this. 21allow kernel init:process share; 22 23# cgroup filesystem initialization prior to setting the cgroup root directory label. 24allow kernel unlabeled:dir search; 25 26# Mount usbfs. 27allow kernel usbfs:filesystem mount; 28allow kernel usbfs:dir search; 29 30# Initial setenforce by init prior to switching to init domain. 31# We use dontaudit instead of allow to prevent a kernel spawned userspace 32# process from turning off SELinux once enabled. 33dontaudit kernel self:security setenforce; 34 35# Write to /proc/1/oom_adj prior to switching to init domain. 36allow kernel self:global_capability_class_set sys_resource; 37 38# Init reboot before switching selinux domains under certain error 39# conditions. Allow it. 40# As part of rebooting, init writes "u" to /proc/sysrq-trigger to 41# remount filesystems read-only. /data is not mounted at this point, 42# so we could ignore this. For now, we allow it. 43allow kernel self:global_capability_class_set sys_boot; 44allow kernel proc_sysrq:file w_file_perms; 45 46# Allow writing to /dev/kmsg which was created prior to loading policy. 47allow kernel tmpfs:chr_file write; 48 49# Set checkreqprot by init.rc prior to switching to init domain. 50allow kernel selinuxfs:file write; 51allow kernel self:security setcheckreqprot; 52 53# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 54allow kernel sdcard_type:file { read write }; 55 56# f_mtp driver accesses files from kernel context. 57allow kernel mediaprovider:fd use; 58 59# Allow the kernel to read OBB files from app directories. (b/17428116) 60# Kernel thread "loop0" reads a vold supplied file descriptor. 61# Fixes CTS tests: 62# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 63# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 64allow kernel vold:fd use; 65allow kernel { app_data_file privapp_data_file }:file read; 66allow kernel asec_image_file:file read; 67 68# Allow reading loop device in update_engine_unittests. (b/28319454) 69# and for LTP kernel tests (b/73220071) 70userdebug_or_eng(` 71 allow kernel update_engine_data_file:file read; 72 allow kernel nativetest_data_file:file { read write }; 73') 74 75# Access to /data/media. 76# This should be removed if sdcardfs is modified to alter the secontext for its 77# accesses to the underlying FS. 78allow kernel media_rw_data_file:dir create_dir_perms; 79allow kernel media_rw_data_file:file create_file_perms; 80 81# Access to /data/misc/vold/virtual_disk. 82allow kernel vold_data_file:file { read write }; 83 84# Allow the kernel to read APEX file descriptors and (staged) data files; 85# Needed because APEX uses the loopback driver, which issues requests from 86# a kernel thread in earlier kernel version. 87allow kernel apexd:fd use; 88allow kernel apex_data_file:file read; 89allow kernel staging_data_file:file read; 90 91# Allow the first-stage init (which is running in the kernel domain) to execute the 92# dynamic linker when it re-executes /init to switch into the second stage. 93# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed 94# before the domain is switched to the target domain. So, we need to allow the kernel 95# domain (the source domain) to execute the dynamic linker (system_file type). 96# TODO(b/110147943) remove these allow rules when we no longer need to support Linux 97# kernel older than 4.8. 98allow kernel system_file:file execute; 99# The label for the dynamic linker is rootfs in the recovery partition. This is because 100# the recovery partition which is rootfs does not support xattr and thus labeling can't be 101# done at build-time. All files are by default labeled as rootfs upon booting. 102recovery_only(` 103 allow kernel rootfs:file execute; 104') 105 106# required by VTS lidbm unit test 107allow kernel appdomain_tmpfs:file read; 108 109### 110### neverallow rules 111### 112 113# The initial task starts in the kernel domain (assigned via 114# initial_sid_contexts), but nothing ever transitions to it. 115neverallow * kernel:process { transition dyntransition }; 116 117# The kernel domain is never entered via an exec, nor should it 118# ever execute a program outside the rootfs without changing to another domain. 119# If you encounter an execute_no_trans denial on the kernel domain, then 120# possible causes include: 121# - The program is a kernel usermodehelper. In this case, define a domain 122# for the program and domain_auto_trans() to it. 123# - You are running an exploit which switched to the init task credentials 124# and is then trying to exec a shell or other program. You lose! 125neverallow kernel *:file { entrypoint execute_no_trans }; 126 127# the kernel should not be accessing files owned by other users. 128# Instead of adding dac_{read_search,override}, fix the unix permissions 129# on files being accessed. 130neverallow kernel self:global_capability_class_set { dac_override dac_read_search }; 131 132# Nobody should be ptracing kernel threads 133neverallow * kernel:process ptrace; 134