init.te - OpenGrok cross reference for /system/sepolicy/private/init.te

Lines Matching refs:init
1 typeattribute init coredomain;
3 tmpfs_domain(init)
5 # Transitions to seclabel processes in init.rc
6 domain_trans(init, rootfs, slideshow)
7 domain_auto_trans(init, charger_exec, charger)
8 domain_auto_trans(init, e2fs_exec, e2fs)
9 domain_auto_trans(init, bpfloader_exec, bpfloader)
13   domain_trans(init, rootfs, adbd)
14   domain_trans(init, rootfs, hal_bootctl_server)
15   domain_trans(init, rootfs, charger)
16   domain_trans(init, rootfs, fastbootd)
17   domain_trans(init, rootfs, hal_fastboot_server)
18   domain_trans(init, rootfs, hal_health_server)
19   domain_trans(init, rootfs, recovery)
20   domain_trans(init, rootfs, linkerconfig)
21   domain_trans(init, rootfs, servicemanager)
22   domain_trans(init, rootfs, snapuserd)
24 domain_trans(init, shell_exec, shell)
25 domain_trans(init, init_exec, ueventd)
26 domain_trans(init, init_exec, vendor_init)
27 domain_trans(init, { rootfs toolbox_exec }, modprobe)
30   domain_auto_trans(init, logcat_exec, logpersist)
32   # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
33   allow init su:process transition;
34   dontaudit init su:process noatsecure;
35   allow init su:process { siginh rlimitinh };
38 # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
42 allow init sysfs_dm:file read;
44 # Allow init to modify the properties of loop devices.
45 allow init sysfs_loop:dir r_dir_perms;
46 allow init sysfs_loop:file rw_file_perms;
48 # Allow init to examine the properties of block devices.
49 allow init sysfs_type:file { getattr read };
50 # Allow init get the attributes of block devices in /dev/block.
51 allow init dev_type:dir r_dir_perms;
52 allow init dev_type:blk_file getattr;
54 # Allow init to write to the drop_caches file.
55 allow init proc_drop_caches:file rw_file_perms;
58 set_prop(init, powerctl_prop)
60 # Only init is allowed to set userspace reboot related properties.
61 set_prop(init, userspace_reboot_exported_prop)
62 neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
64 # Second-stage init performs a test for whether the kernel has SELinux hooks
70 allow init self:perf_event { open cpu };
71 allow init self:global_capability2_class_set perfmon;
72 neverallow init self:perf_event { kernel tracepoint read write };
73 dontaudit init self:perf_event { kernel tracepoint read write };
75 # Allow init to communicate with snapuserd to transition Virtual A/B devices
77 allow init snapuserd_socket:sock_file write;
78 allow init snapuserd:unix_stream_socket connectto;
80 allow init ota_metadata_file:dir lock;
82 # Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
84 allow init vd_device:blk_file relabelto;
86 # Only init is allowed to set the sysprop indicating whether perf_event_open()
88 set_prop(init, init_perf_lsm_hooks_prop)
89 neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
91 # Only init can write vts.native_server.on
92 set_prop(init, vts_status_prop)
93 neverallow { domain -init } vts_status_prop:property_service set;
95 # Only init can write normal ro.boot. properties
96 neverallow { domain -init } bootloader_prop:property_service set;
98 # Only init can write hal.instrumentation.enable
99 neverallow { domain -init } hal_instrumentation_prop:property_service set;
101 # Only init can write ro.property_service.version
102 neverallow { domain -init } property_service_version_prop:property_service set;
104 # Only init can set keystore.boot_level
105 neverallow { domain -init } keystore_listen_prop:property_service set;
108 allow init debugfs_bootreceiver_tracing:file w_file_perms;
110 # PRNG seeder daemon socket is created and listened on by init before forking.
111 allow init prng_seeder:unix_stream_socket { create bind listen };
116 dontaudit init debugfs_tracing_debug:dir { write add_name };
119 allow init {