• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# vendor_init is its own domain.
2type vendor_init, domain;
3
4# Communication to the main init process
5allow vendor_init init:unix_stream_socket { read write };
6
7# Logging to kmsg
8allow vendor_init kmsg_device:chr_file { open getattr write };
9
10# Mount on /dev/usb-ffs/adb.
11allow vendor_init device:dir mounton;
12
13# Create and remove symlinks in /.
14allow vendor_init rootfs:lnk_file { create unlink };
15
16# Create cgroups mount points in tmpfs and mount cgroups on them.
17allow vendor_init cgroup:dir create_dir_perms;
18allow vendor_init cgroup:file w_file_perms;
19allow vendor_init cgroup_v2:dir create_dir_perms;
20allow vendor_init cgroup_v2:file w_file_perms;
21
22# /config
23allow vendor_init configfs:dir mounton;
24allow vendor_init configfs:dir create_dir_perms;
25allow vendor_init configfs:{ file lnk_file } create_file_perms;
26
27# Create directories under /dev/cpuctl after chowning it to system.
28allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
29
30# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
31# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
32# system/core/init.rc requires at least cache_file and data_file_type.
33# init.<board>.rc files often include device-specific types, so
34# we just allow all file types except /system files here.
35allow vendor_init self:global_capability_class_set { chown fowner fsetid };
36
37allow vendor_init system_data_file:dir getattr;
38
39allow vendor_init {
40  file_type
41  -exec_type
42  -system_file_type
43  -unlabeled
44  -vendor_file_type
45}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
46
47allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
48
49allow vendor_init {
50  file_type
51  -exec_type
52  -system_file_type
53  -unlabeled
54  -vendor_file_type
55  -apex_info_file
56  enforce_debugfs_restriction(`-debugfs_type')
57}:file { create getattr open read write setattr relabelfrom unlink map };
58
59allow vendor_init {
60  file_type
61  -exec_type
62  -system_file_type
63  -unlabeled
64  -vendor_file_type
65}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
66
67allow vendor_init {
68  file_type
69  -apex_mnt_dir
70  -exec_type
71  -system_file_type
72  -unlabeled
73  -vendor_file_type
74}:lnk_file { create getattr setattr relabelfrom unlink };
75
76allow vendor_init {
77  file_type
78  -exec_type
79  -system_file_type
80  -vendor_file_type
81}:dir_file_class_set relabelto;
82
83allow vendor_init dev_type:dir create_dir_perms;
84allow vendor_init dev_type:lnk_file create;
85
86# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
87allow vendor_init debugfs_tracing:file w_file_perms;
88
89# chown/chmod on pseudo files.
90allow vendor_init {
91  fs_type
92  -fusefs_type
93  -rootfs
94  -proc_uid_time_in_state
95  -proc_uid_concurrent_active_time
96  -proc_uid_concurrent_policy_time
97  enforce_debugfs_restriction(`-debugfs_type')
98}:file { open read setattr map };
99
100allow vendor_init tracefs_type:file { open read setattr map };
101
102allow vendor_init {
103  fs_type
104  -fusefs_type
105  -rootfs
106  -proc_uid_time_in_state
107  -proc_uid_concurrent_active_time
108  -proc_uid_concurrent_policy_time
109}:dir  { open read setattr search };
110
111allow vendor_init dev_type:blk_file getattr;
112
113# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
114r_dir_file(vendor_init, proc_net_type)
115allow vendor_init proc_net_type:file w_file_perms;
116allow vendor_init self:global_capability_class_set net_admin;
117
118# Write to /proc/sys/vm/page-cluster
119allow vendor_init proc_page_cluster:file w_file_perms;
120
121# Write to sysfs nodes.
122allow vendor_init sysfs_type:dir r_dir_perms;
123allow vendor_init sysfs_type:lnk_file read;
124allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
125
126# setfscreatecon() for labeling directories and socket files.
127allow vendor_init self:process { setfscreate };
128
129r_dir_file(vendor_init, vendor_file_type)
130
131# Vendor init can perform operations on trusted and security Extended Attributes
132allow vendor_init self:global_capability_class_set sys_admin;
133
134# vendor_init is using bootstrap bionic
135use_bootstrap_libs(vendor_init)
136
137# Get file context
138allow vendor_init file_contexts_file:file r_file_perms;
139
140# Allow vendor_init to (re)set nice
141allow vendor_init self:capability sys_nice;
142
143# chown/chmod on devices, e.g. /dev/ttyHS0
144allow vendor_init {
145  dev_type
146  -hw_random_device
147}:chr_file setattr;
148