Lines Matching refs:init

1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
6 # /dev/__null__ node created by init.
7 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
10 # init direct restorecon calls.
13 allow init tmpfs:chr_file relabelfrom;
14 allow init kmsg_device:chr_file { getattr write relabelto };
17   allow init kmsg_debug_device:chr_file { open write relabelto };
20 # allow init to mount and unmount debugfs in debug builds
22   allow init debugfs:dir mounton;
26 allow init properties_device:dir relabelto;
27 allow init properties_serial:file { write relabelto };
28 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
30 allow init properties_device:file create_file_perms;
31 allow init property_info:file relabelto;
33 allow init device:file relabelfrom;
34 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
36 allow init { device socket_device dm_user_device }:dir relabelto;
37 # allow init to establish connection and communicate with lmkd
38 unix_socket_connect(init, lmkd, lmkd)
39 # Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
40 allow init { null_device ptmx_device random_device } : chr_file relabelto;
42 allow init tmpfs:{ chr_file blk_file } relabelfrom;
43 allow init tmpfs:blk_file getattr;
44 allow init block_device:{ dir blk_file lnk_file } relabelto;
45 allow init dm_device:{ chr_file blk_file } relabelto;
46 allow init dm_user_device:chr_file relabelto;
47 allow init kernel:fd use;
49 allow init tmpfs:lnk_file { getattr read relabelfrom };
50 allow init {
58 allow init super_block_device:lnk_file relabelto;
61 allow init mnt_sdcard_file:lnk_file create;
64 allow init self:global_capability_class_set sys_resource;
67 allow init tmpfs:file { getattr unlink };
70 allow init devpts:chr_file { read write open };
73 allow init fscklogs:file create_file_perms;
76 allow init tmpfs:chr_file write;
79 allow init console_device:chr_file rw_file_perms;
82 allow init tty_device:chr_file rw_file_perms;
85 allow init self:global_capability_class_set sys_admin;
88 allow init self:global_capability_class_set sys_chroot;
91 allow init rootfs:dir create_dir_perms;
92 allow init {
108 allow init fs_bpf:dir mounton;
111 allow init device:dir mounton;
114 allow init apex_mnt_dir:dir mounton;
117 allow init art_apex_dir:dir mounton;
120 allow init rootfs:lnk_file { create unlink };
123 allow init sysfs:dir mounton;
126 allow init tmpfs:dir create_dir_perms;
127 allow init tmpfs:dir mounton;
128 allow init cgroup:dir create_dir_perms;
129 allow init cgroup:file rw_file_perms;
130 allow init cgroup_rc_file:file rw_file_perms;
131 allow init cgroup_desc_file:file r_file_perms;
132 allow init cgroup_desc_api_file:file r_file_perms;
133 allow init vendor_cgroup_desc_file:file r_file_perms;
134 allow init cgroup_v2:dir { mounton create_dir_perms};
135 allow init cgroup_v2:file rw_file_perms;
138 allow init configfs:dir mounton;
139 allow init configfs:dir create_dir_perms;
140 allow init configfs:{ file lnk_file } create_file_perms;
143 allow init metadata_file:dir mounton;
146 allow init tmpfs:dir relabelfrom;
149 allow init self:global_capability_class_set { dac_override dac_read_search };
152 allow init self:global_capability_class_set sys_time;
154 allow init self:global_capability_class_set { sys_rawio mknod };
157 allow init dev_type:blk_file r_file_perms;
158 allowxperm init dev_type:blk_file ioctl BLKROSET;
165 allow init {
170 # Allow init to mount/unmount debugfs in non-user builds.
172   userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
175 # Allow init to mount tracefs in /sys/kernel/tracing
176 allow init debugfs_tracing_debug:filesystem mount;
178 allow init unlabeled:filesystem ~relabelto;
179 allow init contextmount_type:filesystem relabelto;
182 allow init contextmount_type:dir r_dir_perms;
183 allow init contextmount_type:notdevfile_class_set r_file_perms;
187 allow init rootfs:{ dir file } relabelfrom;
189 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
191 # system/core/init.rc requires at least cache_file and data_file_type.
192 # init.<board>.rc files often include device-specific types, so
194 allow init self:global_capability_class_set { chown fowner fsetid };
196 allow init {
208 allow init {
225 allow init {
246 allow init tracefs_type:file { create_file_perms relabelfrom };
248 allow init {
266 allow init {
285 allow init cache_file:lnk_file r_file_perms;
287 allow init {
296 allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir …
297 allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file }…
298 allow init dev_type:dir create_dir_perms;
299 allow init dev_type:lnk_file create;
302 allow init debugfs_tracing:file w_file_perms;
305 allow init debugfs_tracing_instances:dir create_dir_perms;
306 allow init debugfs_tracing_instances:file w_file_perms;
307 allow init debugfs_wifi_tracing:file w_file_perms;
310 allow init {
320 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
322 allow init {
340 allow init unlabeled:dir { create_dir_perms relabelfrom };
341 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
345 allow init kernel:system syslog_mod;
346 allow init self:global_capability2_class_set syslog;
348 # init access to /proc.
349 r_dir_file(init, proc_net_type)
350 allow init proc_filesystems:file r_file_perms;
354   allow init overlayfs_file:dir { relabelfrom mounton write };
355   allow init overlayfs_file:file { append };
356   allow init system_block_device:blk_file { write };
359 allow init {
371 allow init {
388 allow init {
392 # init chmod/chown access to /proc files.
393 allow init {
406 # init access to /sys files.
407 allow init {
416 allow init {
421 allow init {
425 # allow init to create loop devices with /dev/loop-control
426 allow init loop_control_device:chr_file rw_file_perms;
427 allow init loop_device:blk_file rw_file_perms;
428 allowxperm init loop_device:blk_file ioctl {
437 # Allow init to write to vibrator/trigger
438 allow init sysfs_vibrator:file w_file_perms;
440 # init chmod/chown access to /sys files.
441 allow init {
454 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
456 allow init self:global_capability_class_set net_admin;
459 allow init self:global_capability_class_set sys_boot;
463 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
464 allow init misc_logd_file:file { open create getattr setattr write };
467 allow init self:global_capability_class_set kill;
468 allow init domain:process { getpgid sigkill signal };
472 allow init credstore_data_file:dir { open create read getattr setattr search };
473 allow init credstore_data_file:file { getattr };
477 allow init keystore_data_file:dir { open create read getattr setattr search };
478 allow init keystore_data_file:file { getattr };
482 allow init vold_data_file:dir { open create read getattr setattr search };
483 allow init vold_data_file:file { getattr };
486 allow init shell_data_file:dir { open create read getattr setattr search };
487 allow init shell_data_file:file { getattr };
490 allow init self:global_capability_class_set { setuid setgid setpcap };
493 # we need to have following line to allow init to have access
495 r_dir_file(init, domain)
501 allow init self:process { setexec setfscreate setsockcreate };
504 allow init file_contexts_file:file r_file_perms;
507 allow init sepolicy_file:file r_file_perms;
510 selinux_check_access(init)
513 allow init kernel:security compute_create;
516 allow init domain:unix_stream_socket { create bind setopt };
517 allow init domain:unix_dgram_socket { create bind setopt };
520 allow init property_data_file:dir create_dir_perms;
521 allow init property_data_file:file create_file_perms;
524 allow init property_type:property_service set;
529 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
530 allow init self:global_capability_class_set audit_write;
533 allow init self:udp_socket { create ioctl };
534 # in addition to unpriv ioctls granted to all domains, init also needs:
535 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
536 allow init self:global_capability_class_set net_raw;
540 allow init kernel:process { getsched setsched };
544 allow init swap_block_device:blk_file rw_file_perms;
549 # only ever accessed by init.
550 allow init device:file create_file_perms;
553 allow init input_device:dir r_dir_perms;
554 allow init input_device:chr_file rw_file_perms;
557 allow init dm_device:chr_file rw_file_perms;
558 allow init dm_device:blk_file rw_file_perms;
561 allow init dm_user_device:chr_file rw_file_perms;
564 allow init metadata_block_device:blk_file rw_file_perms;
568 allow init pstorefs:dir search;
569 allow init pstorefs:file r_file_perms;
570 allow init kernel:system syslog_read;
573 allow init init:key { write search setattr };
575 # Allow init to create /data/unencrypted
576 allow init unencrypted_data_file:dir create_dir_perms;
579 allowxperm init { data_file_type unlabeled }:dir ioctl {
585 allow init misc_block_device:blk_file w_file_perms;
587 r_dir_file(init, system_file)
588 r_dir_file(init, vendor_file_type)
590 allow init system_data_file:file { getattr read };
591 allow init system_data_file:lnk_file r_file_perms;
593 # For init to be able to run shell scripts from vendor
594 allow init vendor_shell_exec:file execute;
597 allow init vold_metadata_file:dir create_dir_perms;
598 allow init vold_metadata_file:file getattr;
599 allow init metadata_bootstat_file:dir create_dir_perms;
600 allow init metadata_bootstat_file:file w_file_perms;
601 allow init userspace_reboot_metadata_file:file w_file_perms;
603 # Allow init to touch PSI monitors
604 allow init proc_pressure_mem:file { rw_file_perms setattr };
606 # init is using bootstrap bionic
607 allow init system_bootstrap_lib_file:dir r_dir_perms;
608 allow init system_bootstrap_lib_file:file { execute read open getattr map };
611 allow init fuse:dir { search getattr };
614 allow init userdata_sysdev:file create_file_perms;
620 # The init domain is only entered via an exec based transition from the
622 neverallow domain init:process dyntransition;
623 neverallow { domain -kernel } init:process transition;
624 neverallow init { file_type fs_type -init_exec }:file entrypoint;
627 neverallow init shell_data_file:lnk_file read;
628 neverallow init { app_data_file privapp_data_file }:lnk_file read;
630 # init should never execute a program without changing to another domain.
631 neverallow init { file_type fs_type }:file execute_no_trans;
634 # when init is executing other binaries. The use of LD_PRELOAD for init spawned
640 neverallow init *:process noatsecure;
642 # init can never add binder services
643 neverallow init service_manager_type:service_manager { add find };
644 # init can never list binder services
645 neverallow init servicemanager:service_manager list;
648 neverallow init shell_data_file:dir { write add_name remove_name };
651 neverallow init sysfs:file { open read write };
653 # No domain should be allowed to ptrace init.
654 neverallow * init:process ptrace;
656 # init owns the root of /data
659 neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name …