Lines Matching refs:init
1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
6 # /dev/__null__ node created by init.
7 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
10 # init direct restorecon calls.
13 allow init tmpfs:chr_file relabelfrom;
14 allow init kmsg_device:chr_file { getattr write relabelto };
17 allow init kmsg_debug_device:chr_file { open write relabelto };
20 # allow init to mount and unmount debugfs in debug builds
22 allow init debugfs:dir mounton;
26 allow init properties_device:dir relabelto;
27 allow init properties_serial:file { write relabelto };
28 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
30 allow init properties_device:file create_file_perms;
31 allow init property_info:file relabelto;
33 allow init device:file relabelfrom;
34 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
36 allow init { device socket_device dm_user_device }:dir relabelto;
37 # allow init to establish connection and communicate with lmkd
38 unix_socket_connect(init, lmkd, lmkd)
39 # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
41 allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
43 allow init tmpfs:{ chr_file blk_file } relabelfrom;
44 allow init tmpfs:blk_file getattr;
45 allow init block_device:{ dir blk_file lnk_file } relabelto;
46 allow init dm_device:{ chr_file blk_file } relabelto;
47 allow init dm_user_device:chr_file relabelto;
48 allow init kernel:fd use;
50 allow init tmpfs:lnk_file { getattr read relabelfrom };
51 allow init {
59 allow init super_block_device:lnk_file relabelto;
62 allow init mnt_sdcard_file:lnk_file create;
65 allow init self:global_capability_class_set sys_resource;
68 allow init tmpfs:file { getattr unlink };
71 allow init devpts:chr_file { read write open };
74 allow init fscklogs:file create_file_perms;
77 allow init tmpfs:chr_file write;
80 allow init console_device:chr_file rw_file_perms;
83 allow init tty_device:chr_file rw_file_perms;
86 allow init self:global_capability_class_set sys_admin;
89 allow init self:global_capability_class_set sys_chroot;
92 allow init rootfs:dir create_dir_perms;
93 allow init {
110 allow init fs_bpf:dir mounton;
113 allow init device:dir mounton;
116 allow init apex_mnt_dir:dir mounton;
119 allow init art_apex_dir:dir mounton;
122 allow init rootfs:lnk_file { create unlink };
125 allow init sysfs:dir mounton;
128 allow init tmpfs:dir create_dir_perms;
129 allow init tmpfs:dir mounton;
130 allow init cgroup:dir create_dir_perms;
131 allow init cgroup:file rw_file_perms;
132 allow init cgroup_rc_file:file rw_file_perms;
133 allow init cgroup_desc_file:file r_file_perms;
134 allow init cgroup_desc_api_file:file r_file_perms;
135 allow init vendor_cgroup_desc_file:file r_file_perms;
136 allow init cgroup_v2:dir { mounton create_dir_perms};
137 allow init cgroup_v2:file rw_file_perms;
140 allow init configfs:dir mounton;
141 allow init configfs:dir create_dir_perms;
142 allow init configfs:{ file lnk_file } create_file_perms;
145 allow init metadata_file:dir mounton;
148 allow init tmpfs:dir relabelfrom;
151 allow init self:global_capability_class_set { dac_override dac_read_search };
154 allow init self:global_capability_class_set sys_time;
156 allow init self:global_capability_class_set { sys_rawio mknod };
159 allow init dev_type:blk_file r_file_perms;
160 allowxperm init dev_type:blk_file ioctl BLKROSET;
161 allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
168 allow init {
173 # Allow init to mount/unmount debugfs in non-user builds.
175 userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
178 # Allow init to mount tracefs in /sys/kernel/tracing
179 allow init debugfs_tracing_debug:filesystem mount;
181 allow init unlabeled:filesystem ~relabelto;
182 allow init contextmount_type:filesystem relabelto;
185 allow init contextmount_type:dir r_dir_perms;
186 allow init contextmount_type:notdevfile_class_set r_file_perms;
190 allow init rootfs:{ dir file } relabelfrom;
192 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
194 # system/core/init.rc requires at least cache_file and data_file_type.
195 # init.<board>.rc files often include device-specific types, so
197 allow init self:global_capability_class_set { chown fowner fsetid };
199 allow init {
213 allow init {
234 allow init {
256 allow init tracefs_type:file { create_file_perms relabelfrom };
258 # Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
260 allow init apex_info_file:file r_file_perms;
262 allow init {
281 allow init {
301 allow init cache_file:lnk_file r_file_perms;
303 allow init {
314 allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir …
315 allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file }…
316 allow init dev_type:dir create_dir_perms;
317 allow init dev_type:lnk_file create;
320 allow init debugfs_tracing:file w_file_perms;
323 allow init debugfs_tracing_instances:dir create_dir_perms;
324 allow init debugfs_tracing_instances:file w_file_perms;
325 allow init debugfs_wifi_tracing:file w_file_perms;
328 allow init {
340 allow init {
349 allow init {
367 allow init unlabeled:dir { create_dir_perms relabelfrom };
368 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
372 allow init kernel:system syslog_mod;
373 allow init self:global_capability2_class_set syslog;
375 # init access to /proc.
376 r_dir_file(init, proc_net_type)
377 allow init proc_filesystems:file r_file_perms;
381 allow init overlayfs_file:dir { relabelfrom mounton write };
382 allow init overlayfs_file:file { append rename };
383 allow init overlayfs_file:chr_file unlink;
384 allow init system_block_device:blk_file { write };
387 allow init {
399 allow init {
418 allow init {
422 # init chmod/chown access to /proc files.
423 allow init {
436 # init access to /sys files.
437 allow init {
447 allow init {
452 allow init {
456 # allow init to create loop devices with /dev/loop-control
457 allow init loop_control_device:chr_file rw_file_perms;
458 allow init loop_device:blk_file rw_file_perms;
459 allowxperm init loop_device:blk_file ioctl {
469 # Allow init to write to vibrator/trigger
470 allow init sysfs_vibrator:file w_file_perms;
472 # init chmod/chown access to /sys files.
473 allow init {
486 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
488 allow init self:global_capability_class_set net_admin;
491 allow init self:global_capability_class_set sys_boot;
495 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
496 allow init misc_logd_file:file { open create getattr setattr write };
499 allow init self:global_capability_class_set kill;
500 allow init domain:process { getpgid sigkill signal };
504 allow init credstore_data_file:dir { open create read getattr setattr search };
505 allow init credstore_data_file:file { getattr };
509 allow init keystore_data_file:dir { open create read getattr setattr search };
510 allow init keystore_data_file:file { getattr };
514 allow init vold_data_file:dir { open create read getattr setattr search };
515 allow init vold_data_file:file { getattr };
518 allow init shell_data_file:dir { open create read getattr setattr search };
519 allow init shell_data_file:file { getattr };
522 allow init self:global_capability_class_set { setuid setgid setpcap };
525 # we need to have following line to allow init to have access
527 r_dir_file(init, domain)
533 allow init self:process { setexec setfscreate setsockcreate };
536 allow init file_contexts_file:file r_file_perms;
539 allow init sepolicy_file:file r_file_perms;
542 selinux_check_access(init)
545 allow init kernel:security compute_create;
548 allow init domain:unix_stream_socket { create bind setopt };
549 allow init domain:unix_dgram_socket { create bind setopt };
552 allow init property_data_file:dir create_dir_perms;
553 allow init property_data_file:file create_file_perms;
556 allow init property_type:property_service set;
561 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
562 allow init self:global_capability_class_set audit_write;
565 allow init self:udp_socket { create ioctl };
566 # in addition to unpriv ioctls granted to all domains, init also needs:
567 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
568 allow init self:global_capability_class_set net_raw;
572 allow init kernel:process { getsched setsched };
576 allow init swap_block_device:blk_file rw_file_perms;
581 # only ever accessed by init.
582 allow init device:file create_file_perms;
585 allow init input_device:dir r_dir_perms;
586 allow init input_device:chr_file rw_file_perms;
589 allow init dm_device:chr_file rw_file_perms;
590 allow init dm_device:blk_file rw_file_perms;
593 allow init dm_user_device:chr_file rw_file_perms;
596 allow init metadata_block_device:blk_file rw_file_perms;
600 allow init pstorefs:dir search;
601 allow init pstorefs:file r_file_perms;
602 allow init kernel:system syslog_read;
605 allow init init:key { write search setattr };
607 # Allow init to create /data/unencrypted
608 allow init unencrypted_data_file:dir create_dir_perms;
611 allowxperm init { data_file_type unlabeled }:dir ioctl {
617 allow init misc_block_device:blk_file w_file_perms;
619 r_dir_file(init, system_file)
620 r_dir_file(init, system_dlkm_file_type)
621 r_dir_file(init, vendor_file_type)
623 allow init system_data_file:file { getattr read };
624 allow init system_data_file:lnk_file r_file_perms;
626 # For init to be able to run shell scripts from vendor
627 allow init vendor_shell_exec:file execute;
630 allow init vold_metadata_file:dir create_dir_perms;
631 allow init vold_metadata_file:file getattr;
632 allow init metadata_bootstat_file:dir create_dir_perms;
633 allow init metadata_bootstat_file:file w_file_perms;
634 allow init userspace_reboot_metadata_file:file w_file_perms;
636 # Allow init to touch PSI monitors
637 allow init proc_pressure_mem:file { rw_file_perms setattr };
639 # init is using bootstrap bionic
640 use_bootstrap_libs(init)
643 allow init fuse:dir { search getattr };
646 allow init userdata_sysdev:file create_file_perms;
649 allow init rootdisk_sysdev:file create_file_perms;
655 # The init domain is only entered via an exec based transition from the
657 neverallow domain init:process dyntransition;
658 neverallow { domain -kernel } init:process transition;
659 neverallow init { file_type fs_type -init_exec }:file entrypoint;
662 neverallow init shell_data_file:lnk_file read;
663 neverallow init { app_data_file privapp_data_file }:lnk_file read;
665 # init should never execute a program without changing to another domain.
666 neverallow init { file_type fs_type }:file execute_no_trans;
669 # when init is executing other binaries. The use of LD_PRELOAD for init spawned
675 neverallow init *:process noatsecure;
677 # init can never add binder services
678 neverallow init service_manager_type:service_manager { add find };
679 # init can never list binder services
680 neverallow init servicemanager:service_manager list;
683 neverallow init shell_data_file:dir { write add_name remove_name };
686 neverallow init sysfs:file { open write };
688 # No domain should be allowed to ptrace init.
689 neverallow * init:process ptrace;
691 # init owns the root of /data
694 neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name …