1# Life begins with the kernel. 2type kernel, domain, mlstrustedsubject; 3 4allow kernel self:capability sys_nice; 5 6# Root fs. 7r_dir_file(kernel, rootfs) 8r_dir_file(kernel, proc) 9 10# Get SELinux enforcing status. 11allow kernel selinuxfs:dir r_dir_perms; 12allow kernel selinuxfs:file r_file_perms; 13 14# Get file contexts during first stage 15allow kernel file_contexts_file:file r_file_perms; 16 17# Allow init relabel itself. 18allow kernel rootfs:file relabelfrom; 19allow kernel init_exec:file relabelto; 20# TODO: investigate why we need this. 21allow kernel init:process share; 22 23# cgroup filesystem initialization prior to setting the cgroup root directory label. 24allow kernel unlabeled:dir search; 25 26# Mount usbfs. 27allow kernel usbfs:filesystem mount; 28allow kernel usbfs:dir search; 29 30# Initial setenforce by init prior to switching to init domain. 31# We use dontaudit instead of allow to prevent a kernel spawned userspace 32# process from turning off SELinux once enabled. 33dontaudit kernel self:security setenforce; 34 35# Write to /proc/1/oom_adj prior to switching to init domain. 36allow kernel self:capability sys_resource; 37 38# Init reboot before switching selinux domains under certain error 39# conditions. Allow it. 40# As part of rebooting, init writes "u" to /proc/sysrq-trigger to 41# remount filesystems read-only. /data is not mounted at this point, 42# so we could ignore this. For now, we allow it. 43allow kernel self:capability sys_boot; 44allow kernel proc_sysrq:file w_file_perms; 45 46# Allow writing to /dev/kmsg which was created prior to loading policy. 47allow kernel tmpfs:chr_file write; 48 49# Set checkreqprot by init.rc prior to switching to init domain. 50allow kernel selinuxfs:file write; 51allow kernel self:security setcheckreqprot; 52 53# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 54allow kernel sdcard_type:file { read write }; 55 56# f_mtp driver accesses files from kernel context. 57allow kernel mediaprovider:fd use; 58 59# Allow the kernel to read OBB files from app directories. (b/17428116) 60# Kernel thread "loop0" reads a vold supplied file descriptor. 61# Fixes CTS tests: 62# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 63# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 64allow kernel vold:fd use; 65allow kernel app_data_file:file read; 66allow kernel asec_image_file:file read; 67 68# Allow reading loop device in update_engine_unittests. (b/28319454) 69userdebug_or_eng(` 70 allow kernel update_engine_data_file:file read; 71 allow kernel nativetest_data_file:file read; 72') 73 74# Access to /data/media. 75# This should be removed if sdcardfs is modified to alter the secontext for its 76# accesses to the underlying FS. 77allow kernel media_rw_data_file:dir create_dir_perms; 78allow kernel media_rw_data_file:file create_file_perms; 79 80# Access to /data/misc/vold/virtual_disk. 81allow kernel vold_data_file:file read; 82 83### 84### neverallow rules 85### 86 87# The initial task starts in the kernel domain (assigned via 88# initial_sid_contexts), but nothing ever transitions to it. 89neverallow * kernel:process { transition dyntransition }; 90 91# The kernel domain is never entered via an exec, nor should it 92# ever execute a program outside the rootfs without changing to another domain. 93# If you encounter an execute_no_trans denial on the kernel domain, then 94# possible causes include: 95# - The program is a kernel usermodehelper. In this case, define a domain 96# for the program and domain_auto_trans() to it. 97# - You are running an exploit which switched to the init task credentials 98# and is then trying to exec a shell or other program. You lose! 99neverallow kernel *:file { entrypoint execute_no_trans }; 100 101# the kernel should not be accessing files owned by other users. 102# Instead of adding dac_{read_search,override}, fix the unix permissions 103# on files being accessed. 104neverallow kernel self:capability { dac_override dac_read_search }; 105