Lines Matching refs:init

1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
6 # /dev/__null__ node created by init.
7 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
10 # init direct restorecon calls.
13 allow init tmpfs:chr_file relabelfrom;
14 allow init kmsg_device:chr_file { getattr write relabelto };
17   allow init kmsg_debug_device:chr_file { write relabelto };
20 allow init properties_device:dir relabelto;
21 allow init properties_serial:file { write relabelto };
22 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
24 allow init properties_device:file create_file_perms;
25 allow init property_info:file relabelto;
27 allow init device:file relabelfrom;
28 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
30 allow init { device socket_device }:dir relabelto;
31 # Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
32 allow init { null_device ptmx_device random_device } : chr_file relabelto;
34 allow init tmpfs:{ chr_file blk_file } relabelfrom;
35 allow init tmpfs:blk_file getattr;
36 allow init block_device:{ dir blk_file lnk_file } relabelto;
37 allow init dm_device:{ chr_file blk_file } relabelto;
38 allow init kernel:fd use;
40 allow init tmpfs:lnk_file { getattr read relabelfrom };
41 allow init {
50 allow init self:global_capability_class_set sys_resource;
53 allow init tmpfs:file { getattr unlink };
56 allow init devpts:chr_file { read write open };
59 allow init fscklogs:file create_file_perms;
62 allow init tmpfs:chr_file write;
65 allow init console_device:chr_file rw_file_perms;
68 allow init tty_device:chr_file rw_file_perms;
71 allow init self:global_capability_class_set sys_admin;
74 allow init self:global_capability_class_set sys_chroot;
77 allow init rootfs:dir create_dir_perms;
78 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postins…
79 allow init cgroup_bpf:dir { create mounton };
82 allow init fs_bpf:dir mounton;
85 allow init device:dir mounton;
88 allow init apex_mnt_dir:dir mounton;
91 allow init rootfs:lnk_file { create unlink };
94 allow init sysfs:dir mounton;
97 allow init tmpfs:dir create_dir_perms;
98 allow init tmpfs:dir mounton;
99 allow init cgroup:dir create_dir_perms;
100 allow init cgroup:file rw_file_perms;
101 allow init cgroup_rc_file:file rw_file_perms;
102 allow init cgroup_desc_file:file r_file_perms;
103 allow init vendor_cgroup_desc_file:file r_file_perms;
106 allow init configfs:dir mounton;
107 allow init configfs:dir create_dir_perms;
108 allow init configfs:{ file lnk_file } create_file_perms;
111 allow init metadata_file:dir mounton;
114 allow init tmpfs:dir relabelfrom;
117 allow init self:global_capability_class_set { dac_override dac_read_search };
120 allow init self:global_capability_class_set sys_time;
122 allow init self:global_capability_class_set { sys_rawio mknod };
125 allow init dev_type:blk_file r_file_perms;
126 allowxperm init dev_type:blk_file ioctl BLKROSET;
133 allow init fs_type:filesystem ~relabelto;
134 allow init unlabeled:filesystem ~relabelto;
135 allow init contextmount_type:filesystem relabelto;
138 allow init contextmount_type:dir r_dir_perms;
139 allow init contextmount_type:notdevfile_class_set r_file_perms;
143 allow init rootfs:{ dir file } relabelfrom;
145 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
147 # system/core/init.rc requires at least cache_file and data_file_type.
148 # init.<board>.rc files often include device-specific types, so
150 allow init self:global_capability_class_set { chown fowner fsetid };
152 allow init {
164 allow init {
181 allow init {
199 allow init {
216 allow init {
234 allow init cache_file:lnk_file r_file_perms;
236 allow init {
245 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr …
246 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
247 allow init dev_type:dir create_dir_perms;
248 allow init dev_type:lnk_file create;
251 allow init debugfs_tracing:file w_file_perms;
254 allow init debugfs_tracing_instances:dir create_dir_perms;
255 allow init debugfs_tracing_instances:file w_file_perms;
256 allow init debugfs_wifi_tracing:file w_file_perms;
259 allow init {
268 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
270 allow init {
290 allow init {
297 allow init unlabeled:dir { create_dir_perms relabelfrom };
298 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
302 allow init kernel:system syslog_mod;
303 allow init self:global_capability2_class_set syslog;
305 # init access to /proc.
306 r_dir_file(init, proc_net_type)
307 allow init proc_filesystems:file r_file_perms;
311   allow init overlayfs_file:dir { relabelfrom mounton write };
312   allow init overlayfs_file:file { append };
313   allow init system_block_device:blk_file { write };
316 allow init {
327 allow init {
344 allow init {
348 # init chmod/chown access to /proc files.
349 allow init {
360 # init access to /sys files.
361 allow init {
369 allow init {
374 allow init {
378 # allow init to create loop devices with /dev/loop-control
379 allow init loop_control_device:chr_file rw_file_perms;
380 allow init loop_device:blk_file rw_file_perms;
381 allowxperm init loop_device:blk_file ioctl {
389 # Allow init to write to vibrator/trigger
390 allow init sysfs_vibrator:file w_file_perms;
392 # init chmod/chown access to /sys files.
393 allow init {
406 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
408 allow init self:global_capability_class_set net_admin;
411 allow init self:global_capability_class_set sys_boot;
415 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
416 allow init misc_logd_file:file { open create getattr setattr write };
419 allow init self:global_capability_class_set kill;
420 allow init domain:process { getpgid sigkill signal };
424 allow init keystore_data_file:dir { open create read getattr setattr search };
425 allow init keystore_data_file:file { getattr };
429 allow init vold_data_file:dir { open create read getattr setattr search };
430 allow init vold_data_file:file { getattr };
433 allow init shell_data_file:dir { open create read getattr setattr search };
434 allow init shell_data_file:file { getattr };
437 allow init self:global_capability_class_set { setuid setgid setpcap };
440 # we need to have following line to allow init to have access
442 r_dir_file(init, domain)
448 allow init self:process { setexec setfscreate setsockcreate };
451 allow init file_contexts_file:file r_file_perms;
454 allow init sepolicy_file:file r_file_perms;
457 selinux_check_access(init)
460 allow init kernel:security compute_create;
463 allow init domain:unix_stream_socket { create bind setopt };
464 allow init domain:unix_dgram_socket { create bind setopt };
467 allow init property_data_file:dir create_dir_perms;
468 allow init property_data_file:file create_file_perms;
471 allow init property_type:property_service set;
476 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
477 allow init self:global_capability_class_set audit_write;
480 allow init self:udp_socket { create ioctl };
481 # in addition to unpriv ioctls granted to all domains, init also needs:
482 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
483 allow init self:global_capability_class_set net_raw;
486 allow init kernel:process { getsched setsched };
490 allow init swap_block_device:blk_file rw_file_perms;
493 # system/core/init/init.c - mix_hwrng_into_linux_rng_action
494 allow init hw_random_device:chr_file r_file_perms;
499 # only ever accessed by init.
500 allow init device:file create_file_perms;
503 allow init input_device:dir r_dir_perms;
504 allow init input_device:chr_file rw_file_perms;
507 allow init dm_device:chr_file rw_file_perms;
508 allow init dm_device:blk_file rw_file_perms;
511 allow init metadata_block_device:blk_file rw_file_perms;
515 allow init pstorefs:dir search;
516 allow init pstorefs:file r_file_perms;
517 allow init kernel:system syslog_read;
520 allow init init:key { write search setattr };
522 # Allow init to create /data/unencrypted
523 allow init unencrypted_data_file:dir create_dir_perms;
526 allowxperm init data_file_type:dir ioctl {
531 # Allow init to write to /proc/sys/vm/overcommit_memory
532 allow init proc_overcommit_memory:file { write };
535 allow init misc_block_device:blk_file w_file_perms;
537 r_dir_file(init, system_file)
538 r_dir_file(init, vendor_file_type)
540 allow init system_data_file:file { getattr read };
541 allow init system_data_file:lnk_file r_file_perms;
543 # For init to be able to run shell scripts from vendor
544 allow init vendor_shell_exec:file execute;
547 allow init vold_metadata_file:dir create_dir_perms;
548 allow init vold_metadata_file:file getattr;
550 # Allow init to use binder
551 binder_use(init);
552 allow init apex_service:service_manager find;
554 allow servicemanager init:binder transfer;
555 # Allow calls from init to apexd
556 allow init apexd:binder call;
558 # Allow init to touch PSI monitors
559 allow init proc_pressure_mem:file { rw_file_perms setattr };
561 # init is using bootstrap bionic
562 allow init system_bootstrap_lib_file:dir r_dir_perms;
563 allow init system_bootstrap_lib_file:file { execute read open getattr map };
569 # The init domain is only entered via an exec based transition from the
571 neverallow domain init:process dyntransition;
572 neverallow { domain -kernel } init:process transition;
573 neverallow init { file_type fs_type -init_exec }:file entrypoint;
576 neverallow init shell_data_file:lnk_file read;
577 neverallow init { app_data_file privapp_data_file }:lnk_file read;
579 # init should never execute a program without changing to another domain.
580 neverallow init { file_type fs_type }:file execute_no_trans;
582 # init can only find the APEX service
583 neverallow init { service_manager_type -apex_service }:service_manager { find };
584 # init can never add binder services
585 neverallow init service_manager_type:service_manager { add };
586 # init can never list binder services
587 neverallow init servicemanager:service_manager list;
590 neverallow init shell_data_file:dir { write add_name remove_name };
593 neverallow init sysfs:file { open read write };
595 # No domain should be allowed to ptrace init.
596 neverallow * init:process ptrace;