Lines Matching refs:init

1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
6 # /dev/__null__ node created by init.
7 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
10 # init direct restorecon calls.
13 allow init tmpfs:chr_file relabelfrom;
14 allow init kmsg_device:chr_file { getattr write relabelto };
17   allow init kmsg_debug_device:chr_file { open write relabelto };
20 # allow init to mount and unmount debugfs in debug builds
22   allow init debugfs:dir mounton;
26 allow init properties_device:dir relabelto;
27 allow init properties_serial:file { write relabelto };
28 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
30 allow init properties_device:file create_file_perms;
31 allow init property_info:file relabelto;
33 allow init device:file relabelfrom;
34 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
36 allow init { device socket_device dm_user_device }:dir relabelto;
37 # allow init to establish connection and communicate with lmkd
38 unix_socket_connect(init, lmkd, lmkd)
39 # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
41 allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
43 allow init tmpfs:{ chr_file blk_file } relabelfrom;
44 allow init tmpfs:blk_file getattr;
45 allow init block_device:{ dir blk_file lnk_file } relabelto;
46 allow init dm_device:{ chr_file blk_file } relabelto;
47 allow init dm_user_device:chr_file relabelto;
48 allow init kernel:fd use;
50 allow init tmpfs:lnk_file { getattr read relabelfrom };
51 allow init {
59 allow init super_block_device:lnk_file relabelto;
62 allow init mnt_sdcard_file:lnk_file create;
65 allow init self:global_capability_class_set sys_resource;
68 allow init tmpfs:file { getattr unlink };
71 allow init devpts:chr_file { read write open };
74 allow init fscklogs:file create_file_perms;
77 allow init tmpfs:chr_file write;
80 allow init console_device:chr_file rw_file_perms;
83 allow init tty_device:chr_file rw_file_perms;
86 allow init self:global_capability_class_set sys_admin;
89 allow init self:global_capability_class_set sys_chroot;
92 allow init rootfs:dir create_dir_perms;
93 allow init {
110 allow init fs_bpf:dir mounton;
113 allow init device:dir mounton;
116 allow init apex_mnt_dir:dir mounton;
119 allow init art_apex_dir:dir mounton;
122 allow init rootfs:lnk_file { create unlink };
125 allow init sysfs:dir mounton;
128 allow init tmpfs:dir create_dir_perms;
129 allow init tmpfs:dir mounton;
130 allow init cgroup:dir create_dir_perms;
131 allow init cgroup:file rw_file_perms;
132 allow init cgroup_rc_file:file rw_file_perms;
133 allow init cgroup_desc_file:file r_file_perms;
134 allow init cgroup_desc_api_file:file r_file_perms;
135 allow init vendor_cgroup_desc_file:file r_file_perms;
136 allow init cgroup_v2:dir { mounton create_dir_perms};
137 allow init cgroup_v2:file rw_file_perms;
140 allow init configfs:dir mounton;
141 allow init configfs:dir create_dir_perms;
142 allow init configfs:{ file lnk_file } create_file_perms;
145 allow init metadata_file:dir mounton;
148 allow init tmpfs:dir relabelfrom;
151 allow init self:global_capability_class_set { dac_override dac_read_search };
154 allow init self:global_capability_class_set sys_time;
156 allow init self:global_capability_class_set { sys_rawio mknod };
159 allow init dev_type:blk_file r_file_perms;
160 allowxperm init dev_type:blk_file ioctl BLKROSET;
167 allow init {
172 # Allow init to mount/unmount debugfs in non-user builds.
174   userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
177 # Allow init to mount tracefs in /sys/kernel/tracing
178 allow init debugfs_tracing_debug:filesystem mount;
180 allow init unlabeled:filesystem ~relabelto;
181 allow init contextmount_type:filesystem relabelto;
184 allow init contextmount_type:dir r_dir_perms;
185 allow init contextmount_type:notdevfile_class_set r_file_perms;
189 allow init rootfs:{ dir file } relabelfrom;
191 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
193 # system/core/init.rc requires at least cache_file and data_file_type.
194 # init.<board>.rc files often include device-specific types, so
196 allow init self:global_capability_class_set { chown fowner fsetid };
198 allow init {
211 allow init {
229 allow init {
251 allow init tracefs_type:file { create_file_perms relabelfrom };
253 allow init {
272 allow init {
292 allow init cache_file:lnk_file r_file_perms;
294 allow init {
304 allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir …
305 allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file }…
306 allow init dev_type:dir create_dir_perms;
307 allow init dev_type:lnk_file create;
310 allow init debugfs_tracing:file w_file_perms;
313 allow init debugfs_tracing_instances:dir create_dir_perms;
314 allow init debugfs_tracing_instances:file w_file_perms;
315 allow init debugfs_wifi_tracing:file w_file_perms;
318 allow init {
329 allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir  { open read setatt…
331 allow init {
349 allow init unlabeled:dir { create_dir_perms relabelfrom };
350 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
354 allow init kernel:system syslog_mod;
355 allow init self:global_capability2_class_set syslog;
357 # init access to /proc.
358 r_dir_file(init, proc_net_type)
359 allow init proc_filesystems:file r_file_perms;
363   allow init overlayfs_file:dir { relabelfrom mounton write };
364   allow init overlayfs_file:file { append };
365   allow init system_block_device:blk_file { write };
368 allow init {
380 allow init {
400 allow init {
404 # init chmod/chown access to /proc files.
405 allow init {
418 # init access to /sys files.
419 allow init {
429 allow init {
434 allow init {
438 # allow init to create loop devices with /dev/loop-control
439 allow init loop_control_device:chr_file rw_file_perms;
440 allow init loop_device:blk_file rw_file_perms;
441 allowxperm init loop_device:blk_file ioctl {
451 # Allow init to write to vibrator/trigger
452 allow init sysfs_vibrator:file w_file_perms;
454 # init chmod/chown access to /sys files.
455 allow init {
468 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
470 allow init self:global_capability_class_set net_admin;
473 allow init self:global_capability_class_set sys_boot;
477 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
478 allow init misc_logd_file:file { open create getattr setattr write };
481 allow init self:global_capability_class_set kill;
482 allow init domain:process { getpgid sigkill signal };
486 allow init credstore_data_file:dir { open create read getattr setattr search };
487 allow init credstore_data_file:file { getattr };
491 allow init keystore_data_file:dir { open create read getattr setattr search };
492 allow init keystore_data_file:file { getattr };
496 allow init vold_data_file:dir { open create read getattr setattr search };
497 allow init vold_data_file:file { getattr };
500 allow init shell_data_file:dir { open create read getattr setattr search };
501 allow init shell_data_file:file { getattr };
504 allow init self:global_capability_class_set { setuid setgid setpcap };
507 # we need to have following line to allow init to have access
509 r_dir_file(init, domain)
515 allow init self:process { setexec setfscreate setsockcreate };
518 allow init file_contexts_file:file r_file_perms;
521 allow init sepolicy_file:file r_file_perms;
524 selinux_check_access(init)
527 allow init kernel:security compute_create;
530 allow init domain:unix_stream_socket { create bind setopt };
531 allow init domain:unix_dgram_socket { create bind setopt };
534 allow init property_data_file:dir create_dir_perms;
535 allow init property_data_file:file create_file_perms;
538 allow init property_type:property_service set;
543 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
544 allow init self:global_capability_class_set audit_write;
547 allow init self:udp_socket { create ioctl };
548 # in addition to unpriv ioctls granted to all domains, init also needs:
549 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
550 allow init self:global_capability_class_set net_raw;
554 allow init kernel:process { getsched setsched };
558 allow init swap_block_device:blk_file rw_file_perms;
563 # only ever accessed by init.
564 allow init device:file create_file_perms;
567 allow init input_device:dir r_dir_perms;
568 allow init input_device:chr_file rw_file_perms;
571 allow init dm_device:chr_file rw_file_perms;
572 allow init dm_device:blk_file rw_file_perms;
575 allow init dm_user_device:chr_file rw_file_perms;
578 allow init metadata_block_device:blk_file rw_file_perms;
582 allow init pstorefs:dir search;
583 allow init pstorefs:file r_file_perms;
584 allow init kernel:system syslog_read;
587 allow init init:key { write search setattr };
589 # Allow init to create /data/unencrypted
590 allow init unencrypted_data_file:dir create_dir_perms;
593 allowxperm init { data_file_type unlabeled }:dir ioctl {
599 allow init misc_block_device:blk_file w_file_perms;
601 r_dir_file(init, system_file)
602 r_dir_file(init, system_dlkm_file_type)
603 r_dir_file(init, vendor_file_type)
605 allow init system_data_file:file { getattr read };
606 allow init system_data_file:lnk_file r_file_perms;
608 # For init to be able to run shell scripts from vendor
609 allow init vendor_shell_exec:file execute;
612 allow init vold_metadata_file:dir create_dir_perms;
613 allow init vold_metadata_file:file getattr;
614 allow init metadata_bootstat_file:dir create_dir_perms;
615 allow init metadata_bootstat_file:file w_file_perms;
616 allow init userspace_reboot_metadata_file:file w_file_perms;
618 # Allow init to touch PSI monitors
619 allow init proc_pressure_mem:file { rw_file_perms setattr };
621 # init is using bootstrap bionic
622 use_bootstrap_libs(init)
625 allow init fuse:dir { search getattr };
628 allow init userdata_sysdev:file create_file_perms;
631 allow init rootdisk_sysdev:file create_file_perms;
637 # The init domain is only entered via an exec based transition from the
639 neverallow domain init:process dyntransition;
640 neverallow { domain -kernel } init:process transition;
641 neverallow init { file_type fs_type -init_exec }:file entrypoint;
644 neverallow init shell_data_file:lnk_file read;
645 neverallow init { app_data_file privapp_data_file }:lnk_file read;
647 # init should never execute a program without changing to another domain.
648 neverallow init { file_type fs_type }:file execute_no_trans;
651 # when init is executing other binaries. The use of LD_PRELOAD for init spawned
657 neverallow init *:process noatsecure;
659 # init can never add binder services
660 neverallow init service_manager_type:service_manager { add find };
661 # init can never list binder services
662 neverallow init servicemanager:service_manager list;
665 neverallow init shell_data_file:dir { write add_name remove_name };
668 neverallow init sysfs:file { open write };
670 # No domain should be allowed to ptrace init.
671 neverallow * init:process ptrace;
673 # init owns the root of /data
676 neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name …