• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { open write relabelto };
18')
19
20# allow init to mount and unmount debugfs in debug builds
21userdebug_or_eng(`
22  allow init debugfs:dir mounton;
23')
24
25# /dev/__properties__
26allow init properties_device:dir relabelto;
27allow init properties_serial:file { write relabelto };
28allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
29# /dev/__properties__/property_info
30allow init properties_device:file create_file_perms;
31allow init property_info:file relabelto;
32# /dev/event-log-tags
33allow init device:file relabelfrom;
34allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
35# /dev/socket
36allow init { device socket_device dm_user_device }:dir relabelto;
37# allow init to establish connection and communicate with lmkd
38unix_socket_connect(init, lmkd, lmkd)
39# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
40allow init { null_device ptmx_device random_device } : chr_file relabelto;
41# /dev/device-mapper, /dev/block(/.*)?
42allow init tmpfs:{ chr_file blk_file } relabelfrom;
43allow init tmpfs:blk_file getattr;
44allow init block_device:{ dir blk_file lnk_file } relabelto;
45allow init dm_device:{ chr_file blk_file } relabelto;
46allow init dm_user_device:chr_file relabelto;
47allow init kernel:fd use;
48# restorecon for early mount device symlinks
49allow init tmpfs:lnk_file { getattr read relabelfrom };
50allow init {
51  metadata_block_device
52  misc_block_device
53  recovery_block_device
54  system_block_device
55  userdata_block_device
56}:{ blk_file lnk_file } relabelto;
57
58allow init super_block_device:lnk_file relabelto;
59
60# Create /mnt/sdcard -> /storage/self/primary symlink.
61allow init mnt_sdcard_file:lnk_file create;
62
63# setrlimit
64allow init self:global_capability_class_set sys_resource;
65
66# Remove /dev/.booting and load /debug_ramdisk/* files
67allow init tmpfs:file { getattr unlink };
68
69# Access pty created for fsck.
70allow init devpts:chr_file { read write open };
71
72# Create /dev/fscklogs files.
73allow init fscklogs:file create_file_perms;
74
75# Access /dev/__null__ node created prior to initial policy load.
76allow init tmpfs:chr_file write;
77
78# Access /dev/console.
79allow init console_device:chr_file rw_file_perms;
80
81# Access /dev/tty0.
82allow init tty_device:chr_file rw_file_perms;
83
84# Call mount(2).
85allow init self:global_capability_class_set sys_admin;
86
87# Call setns(2).
88allow init self:global_capability_class_set sys_chroot;
89
90# Create and mount on directories in /.
91allow init rootfs:dir create_dir_perms;
92allow init {
93    rootfs
94    cache_file
95    cgroup
96    linkerconfig_file
97    storage_file
98    mnt_user_file
99    system_data_file
100    system_data_root_file
101    system_file
102    vendor_file
103    postinstall_mnt_dir
104    mirror_data_file
105}:dir mounton;
106
107# Mount bpf fs on sys/fs/bpf
108allow init fs_bpf:dir mounton;
109
110# Mount on /dev/usb-ffs/adb.
111allow init device:dir mounton;
112
113# Mount tmpfs on /apex
114allow init apex_mnt_dir:dir mounton;
115
116# Bind-mount on /system/apex/com.android.art
117allow init art_apex_dir:dir mounton;
118
119# Create and remove symlinks in /.
120allow init rootfs:lnk_file { create unlink };
121
122# Mount debugfs on /sys/kernel/debug.
123allow init sysfs:dir mounton;
124
125# Create cgroups mount points in tmpfs and mount cgroups on them.
126allow init tmpfs:dir create_dir_perms;
127allow init tmpfs:dir mounton;
128allow init cgroup:dir create_dir_perms;
129allow init cgroup:file rw_file_perms;
130allow init cgroup_rc_file:file rw_file_perms;
131allow init cgroup_desc_file:file r_file_perms;
132allow init cgroup_desc_api_file:file r_file_perms;
133allow init vendor_cgroup_desc_file:file r_file_perms;
134allow init cgroup_v2:dir { mounton create_dir_perms};
135allow init cgroup_v2:file rw_file_perms;
136
137# /config
138allow init configfs:dir mounton;
139allow init configfs:dir create_dir_perms;
140allow init configfs:{ file lnk_file } create_file_perms;
141
142# /metadata
143allow init metadata_file:dir mounton;
144
145# Use tmpfs as /data, used for booting when /data is encrypted
146allow init tmpfs:dir relabelfrom;
147
148# Create directories under /dev/cpuctl after chowning it to system.
149allow init self:global_capability_class_set { dac_override dac_read_search };
150
151# Set system clock.
152allow init self:global_capability_class_set sys_time;
153
154allow init self:global_capability_class_set { sys_rawio mknod };
155
156# Mounting filesystems from block devices.
157allow init dev_type:blk_file r_file_perms;
158allowxperm init dev_type:blk_file ioctl BLKROSET;
159
160# Mounting filesystems.
161# Only allow relabelto for types used in context= mount options,
162# which should all be assigned the contextmount_type attribute.
163# This can be done in device-specific policy via type or typeattribute
164# declarations.
165allow init {
166  fs_type
167  enforce_debugfs_restriction(`-debugfs_type')
168}:filesystem ~relabelto;
169
170# Allow init to mount/unmount debugfs in non-user builds.
171enforce_debugfs_restriction(`
172  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
173')
174
175# Allow init to mount tracefs in /sys/kernel/tracing
176allow init debugfs_tracing_debug:filesystem mount;
177
178allow init unlabeled:filesystem ~relabelto;
179allow init contextmount_type:filesystem relabelto;
180
181# Allow read-only access to context= mounted filesystems.
182allow init contextmount_type:dir r_dir_perms;
183allow init contextmount_type:notdevfile_class_set r_file_perms;
184
185# restorecon /adb_keys or any other rootfs files and directories to a more
186# specific type.
187allow init rootfs:{ dir file } relabelfrom;
188
189# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
190# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
191# system/core/init.rc requires at least cache_file and data_file_type.
192# init.<board>.rc files often include device-specific types, so
193# we just allow all file types except /system files here.
194allow init self:global_capability_class_set { chown fowner fsetid };
195
196allow init {
197  file_type
198  -app_data_file
199  -exec_type
200  -misc_logd_file
201  -nativetest_data_file
202  -privapp_data_file
203  -system_app_data_file
204  -system_file_type
205  -vendor_file_type
206}:dir { create search getattr open read setattr ioctl };
207
208allow init {
209  file_type
210  -app_data_file
211  -exec_type
212  -iorapd_data_file
213  -credstore_data_file
214  -keystore_data_file
215  -misc_logd_file
216  -nativetest_data_file
217  -privapp_data_file
218  -shell_data_file
219  -system_app_data_file
220  -system_file_type
221  -vendor_file_type
222  -vold_data_file
223}:dir { write add_name remove_name rmdir relabelfrom };
224
225allow init {
226  file_type
227  -apex_info_file
228  -app_data_file
229  -exec_type
230  -gsi_data_file
231  -iorapd_data_file
232  -credstore_data_file
233  -keystore_data_file
234  -misc_logd_file
235  -nativetest_data_file
236  -privapp_data_file
237  -runtime_event_log_tags_file
238  -shell_data_file
239  -system_app_data_file
240  -system_file_type
241  -vendor_file_type
242  -vold_data_file
243  enforce_debugfs_restriction(`-debugfs_type')
244}:file { create getattr open read write setattr relabelfrom unlink map };
245
246allow init tracefs_type:file { create_file_perms relabelfrom };
247
248allow init {
249  file_type
250  -app_data_file
251  -exec_type
252  -gsi_data_file
253  -iorapd_data_file
254  -credstore_data_file
255  -keystore_data_file
256  -misc_logd_file
257  -nativetest_data_file
258  -privapp_data_file
259  -shell_data_file
260  -system_app_data_file
261  -system_file_type
262  -vendor_file_type
263  -vold_data_file
264}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
265
266allow init {
267  file_type
268  -apex_mnt_dir
269  -app_data_file
270  -exec_type
271  -gsi_data_file
272  -iorapd_data_file
273  -credstore_data_file
274  -keystore_data_file
275  -misc_logd_file
276  -nativetest_data_file
277  -privapp_data_file
278  -shell_data_file
279  -system_app_data_file
280  -system_file_type
281  -vendor_file_type
282  -vold_data_file
283}:lnk_file { create getattr setattr relabelfrom unlink };
284
285allow init cache_file:lnk_file r_file_perms;
286
287allow init {
288  file_type
289  -system_file_type
290  -vendor_file_type
291  -exec_type
292  -app_data_file
293  -privapp_data_file
294}:dir_file_class_set relabelto;
295
296allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
297allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
298allow init dev_type:dir create_dir_perms;
299allow init dev_type:lnk_file create;
300
301# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
302allow init debugfs_tracing:file w_file_perms;
303
304# Setup and control wifi event tracing (see wifi-events.rc)
305allow init debugfs_tracing_instances:dir create_dir_perms;
306allow init debugfs_tracing_instances:file w_file_perms;
307allow init debugfs_wifi_tracing:file w_file_perms;
308
309# chown/chmod on pseudo files.
310allow init {
311  fs_type
312  -contextmount_type
313  -keychord_device
314  -proc_type
315  -sdcard_type
316  -sysfs_type
317  -rootfs
318  enforce_debugfs_restriction(`-debugfs_type')
319}:file { open read setattr };
320allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
321
322allow init {
323  binder_device
324  console_device
325  devpts
326  dm_device
327  hwbinder_device
328  input_device
329  kmsg_device
330  null_device
331  owntty_device
332  pmsg_device
333  ptmx_device
334  random_device
335  tty_device
336  zero_device
337}:chr_file { read open };
338
339# Unlabeled file access for upgrades from 4.2.
340allow init unlabeled:dir { create_dir_perms relabelfrom };
341allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
342
343# Any operation that can modify the kernel ring buffer, e.g. clear
344# or a read that consumes the messages that were read.
345allow init kernel:system syslog_mod;
346allow init self:global_capability2_class_set syslog;
347
348# init access to /proc.
349r_dir_file(init, proc_net_type)
350allow init proc_filesystems:file r_file_perms;
351
352userdebug_or_eng(`
353  # Overlayfs workdir write access check during mount to permit remount,rw
354  allow init overlayfs_file:dir { relabelfrom mounton write };
355  allow init overlayfs_file:file { append };
356  allow init system_block_device:blk_file { write };
357')
358
359allow init {
360  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
361  proc_bootconfig
362  proc_cmdline
363  proc_diskstats
364  proc_kmsg # Open /proc/kmsg for logd service.
365  proc_meminfo
366  proc_stat # Read /proc/stat for bootchart.
367  proc_uptime
368  proc_version
369}:file r_file_perms;
370
371allow init {
372  proc_abi
373  proc_dirty
374  proc_hostname
375  proc_hung_task
376  proc_extra_free_kbytes
377  proc_net_type
378  proc_max_map_count
379  proc_min_free_order_shift
380  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
381  proc_panic
382  proc_page_cluster
383  proc_perf
384  proc_sched
385  proc_sysrq
386}:file w_file_perms;
387
388allow init {
389  proc_security
390}:file rw_file_perms;
391
392# init chmod/chown access to /proc files.
393allow init {
394  proc_cmdline
395  proc_bootconfig
396  proc_kmsg
397  proc_net
398  proc_pagetypeinfo
399  proc_qtaguid_stat
400  proc_slabinfo
401  proc_sysrq
402  proc_qtaguid_ctrl
403  proc_vmallocinfo
404}:file setattr;
405
406# init access to /sys files.
407allow init {
408  sysfs_android_usb
409  sysfs_dm_verity
410  sysfs_leds
411  sysfs_power
412  sysfs_fs_f2fs
413  sysfs_dm
414}:file w_file_perms;
415
416allow init {
417  sysfs_dt_firmware_android
418  sysfs_fs_ext4_features
419}:file r_file_perms;
420
421allow init {
422  sysfs_zram
423}:file rw_file_perms;
424
425# allow init to create loop devices with /dev/loop-control
426allow init loop_control_device:chr_file rw_file_perms;
427allow init loop_device:blk_file rw_file_perms;
428allowxperm init loop_device:blk_file ioctl {
429  LOOP_SET_FD
430  LOOP_CLR_FD
431  LOOP_CTL_GET_FREE
432  LOOP_SET_BLOCK_SIZE
433  LOOP_SET_DIRECT_IO
434  LOOP_GET_STATUS
435};
436
437# Allow init to write to vibrator/trigger
438allow init sysfs_vibrator:file w_file_perms;
439
440# init chmod/chown access to /sys files.
441allow init {
442  sysfs_android_usb
443  sysfs_devices_system_cpu
444  sysfs_ipv4
445  sysfs_leds
446  sysfs_lowmemorykiller
447  sysfs_power
448  sysfs_vibrator
449  sysfs_wake_lock
450  sysfs_zram
451}:file setattr;
452
453# Set usermodehelpers.
454allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
455
456allow init self:global_capability_class_set net_admin;
457
458# Reboot.
459allow init self:global_capability_class_set sys_boot;
460
461# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
462# Init will also walk through the directory as part of a recursive restorecon.
463allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
464allow init misc_logd_file:file { open create getattr setattr write };
465
466# Support "adb shell stop"
467allow init self:global_capability_class_set kill;
468allow init domain:process { getpgid sigkill signal };
469
470# Init creates credstore's directory on boot, and walks through
471# the directory as part of a recursive restorecon.
472allow init credstore_data_file:dir { open create read getattr setattr search };
473allow init credstore_data_file:file { getattr };
474
475# Init creates keystore's directory on boot, and walks through
476# the directory as part of a recursive restorecon.
477allow init keystore_data_file:dir { open create read getattr setattr search };
478allow init keystore_data_file:file { getattr };
479
480# Init creates vold's directory on boot, and walks through
481# the directory as part of a recursive restorecon.
482allow init vold_data_file:dir { open create read getattr setattr search };
483allow init vold_data_file:file { getattr };
484
485# Init creates /data/local/tmp at boot
486allow init shell_data_file:dir { open create read getattr setattr search };
487allow init shell_data_file:file { getattr };
488
489# Set UID, GID, and adjust capability bounding set for services.
490allow init self:global_capability_class_set { setuid setgid setpcap };
491
492# For bootchart to read the /proc/$pid/cmdline file of each process,
493# we need to have following line to allow init to have access
494# to different domains.
495r_dir_file(init, domain)
496
497# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
498# setexec is for services with seclabel options.
499# setfscreate is for labeling directories and socket files.
500# setsockcreate is for labeling local/unix domain sockets.
501allow init self:process { setexec setfscreate setsockcreate };
502
503# Get file context
504allow init file_contexts_file:file r_file_perms;
505
506# sepolicy access
507allow init sepolicy_file:file r_file_perms;
508
509# Perform SELinux access checks on setting properties.
510selinux_check_access(init)
511
512# Ask the kernel for the new context on services to label their sockets.
513allow init kernel:security compute_create;
514
515# Create sockets for the services.
516allow init domain:unix_stream_socket { create bind setopt };
517allow init domain:unix_dgram_socket { create bind setopt };
518
519# Create /data/property and files within it.
520allow init property_data_file:dir create_dir_perms;
521allow init property_data_file:file create_file_perms;
522
523# Set any property.
524allow init property_type:property_service set;
525
526# Send an SELinux userspace denial to the kernel audit subsystem,
527# so it can be picked up and processed by logd. These denials are
528# generated when an attempt to set a property is denied by policy.
529allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
530allow init self:global_capability_class_set audit_write;
531
532# Run "ifup lo" to bring up the localhost interface
533allow init self:udp_socket { create ioctl };
534# in addition to unpriv ioctls granted to all domains, init also needs:
535allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
536allow init self:global_capability_class_set net_raw;
537
538# Set scheduling info for psi monitor thread.
539# TODO: delete or revise this line b/131761776
540allow init kernel:process { getsched setsched };
541
542# swapon() needs write access to swap device
543# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
544allow init swap_block_device:blk_file rw_file_perms;
545
546# Create and access /dev files without a specific type,
547# e.g. /dev/.coldboot_done, /dev/.booting
548# TODO:  Move these files into their own type unless they are
549# only ever accessed by init.
550allow init device:file create_file_perms;
551
552# keychord retrieval from /dev/input/ devices
553allow init input_device:dir r_dir_perms;
554allow init input_device:chr_file rw_file_perms;
555
556# Access device mapper for setting up dm-verity
557allow init dm_device:chr_file rw_file_perms;
558allow init dm_device:blk_file rw_file_perms;
559
560# Access dm-user for OTA boot
561allow init dm_user_device:chr_file rw_file_perms;
562
563# Access metadata block device for storing dm-verity state
564allow init metadata_block_device:blk_file rw_file_perms;
565
566# Read /sys/fs/pstore/console-ramoops to detect restarts caused
567# by dm-verity detecting corrupted blocks
568allow init pstorefs:dir search;
569allow init pstorefs:file r_file_perms;
570allow init kernel:system syslog_read;
571
572# linux keyring configuration
573allow init init:key { write search setattr };
574
575# Allow init to create /data/unencrypted
576allow init unencrypted_data_file:dir create_dir_perms;
577
578# Set encryption policy on dirs in /data
579allowxperm init { data_file_type unlabeled }:dir ioctl {
580  FS_IOC_GET_ENCRYPTION_POLICY
581  FS_IOC_SET_ENCRYPTION_POLICY
582};
583
584# Raw writes to misc block device
585allow init misc_block_device:blk_file w_file_perms;
586
587r_dir_file(init, system_file)
588r_dir_file(init, vendor_file_type)
589
590allow init system_data_file:file { getattr read };
591allow init system_data_file:lnk_file r_file_perms;
592
593# For init to be able to run shell scripts from vendor
594allow init vendor_shell_exec:file execute;
595
596# Metadata setup
597allow init vold_metadata_file:dir create_dir_perms;
598allow init vold_metadata_file:file getattr;
599allow init metadata_bootstat_file:dir create_dir_perms;
600allow init metadata_bootstat_file:file w_file_perms;
601allow init userspace_reboot_metadata_file:file w_file_perms;
602
603# Allow init to touch PSI monitors
604allow init proc_pressure_mem:file { rw_file_perms setattr };
605
606# init is using bootstrap bionic
607allow init system_bootstrap_lib_file:dir r_dir_perms;
608allow init system_bootstrap_lib_file:file { execute read open getattr map };
609
610# stat the root dir of fuse filesystems (for the mount handler)
611allow init fuse:dir { search getattr };
612
613# allow filesystem tuning
614allow init userdata_sysdev:file create_file_perms;
615
616###
617### neverallow rules
618###
619
620# The init domain is only entered via an exec based transition from the
621# kernel domain, never via setcon().
622neverallow domain init:process dyntransition;
623neverallow { domain -kernel } init:process transition;
624neverallow init { file_type fs_type -init_exec }:file entrypoint;
625
626# Never read/follow symlinks created by shell or untrusted apps.
627neverallow init shell_data_file:lnk_file read;
628neverallow init { app_data_file privapp_data_file }:lnk_file read;
629
630# init should never execute a program without changing to another domain.
631neverallow init { file_type fs_type }:file execute_no_trans;
632
633# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
634# when init is executing other binaries. The use of LD_PRELOAD for init spawned
635# services is generally considered a no-no, as it injects libraries which the
636# binary was not expecting. This is especially problematic for APEXes. The use
637# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
638# code into a process which wasn't expecting that code, with potentially
639# unexpected side effects. (b/140789528)
640neverallow init *:process noatsecure;
641
642# init can never add binder services
643neverallow init service_manager_type:service_manager { add find };
644# init can never list binder services
645neverallow init servicemanager:service_manager list;
646
647# Init should not be creating subdirectories in /data/local/tmp
648neverallow init shell_data_file:dir { write add_name remove_name };
649
650# Init should not access sysfs node that are not explicitly labeled.
651neverallow init sysfs:file { open read write };
652
653# No domain should be allowed to ptrace init.
654neverallow * init:process ptrace;
655
656# init owns the root of /data
657# TODO(b/140259336) We want to remove vendor_init
658# TODO(b/141108496) We want to remove toolbox
659neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
660