• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { open write relabelto };
18')
19
20# allow init to mount and unmount debugfs in debug builds
21userdebug_or_eng(`
22  allow init debugfs:dir mounton;
23')
24
25# /dev/__properties__
26allow init properties_device:dir relabelto;
27allow init properties_serial:file { write relabelto };
28allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
29# /dev/__properties__/property_info
30allow init properties_device:file create_file_perms;
31allow init property_info:file relabelto;
32# /dev/event-log-tags
33allow init device:file relabelfrom;
34allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
35# /dev/socket
36allow init { device socket_device dm_user_device }:dir relabelto;
37# allow init to establish connection and communicate with lmkd
38unix_socket_connect(init, lmkd, lmkd)
39# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
40# and /dev/urandom
41allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
42# /dev/device-mapper, /dev/block(/.*)?
43allow init tmpfs:{ chr_file blk_file } relabelfrom;
44allow init tmpfs:blk_file getattr;
45allow init block_device:{ dir blk_file lnk_file } relabelto;
46allow init dm_device:{ chr_file blk_file } relabelto;
47allow init dm_user_device:chr_file relabelto;
48allow init kernel:fd use;
49# restorecon for early mount device symlinks
50allow init tmpfs:lnk_file { getattr read relabelfrom };
51allow init {
52  metadata_block_device
53  misc_block_device
54  recovery_block_device
55  system_block_device
56  userdata_block_device
57}:{ blk_file lnk_file } relabelto;
58
59allow init super_block_device:lnk_file relabelto;
60
61# Create /mnt/sdcard -> /storage/self/primary symlink.
62allow init mnt_sdcard_file:lnk_file create;
63
64# setrlimit
65allow init self:global_capability_class_set sys_resource;
66
67# Remove /dev/.booting and load /debug_ramdisk/* files
68allow init tmpfs:file { getattr unlink };
69
70# Access pty created for fsck.
71allow init devpts:chr_file { read write open };
72
73# Create /dev/fscklogs files.
74allow init fscklogs:file create_file_perms;
75
76# Access /dev/__null__ node created prior to initial policy load.
77allow init tmpfs:chr_file write;
78
79# Access /dev/console.
80allow init console_device:chr_file rw_file_perms;
81
82# Access /dev/tty0.
83allow init tty_device:chr_file rw_file_perms;
84
85# Call mount(2).
86allow init self:global_capability_class_set sys_admin;
87
88# Call setns(2).
89allow init self:global_capability_class_set sys_chroot;
90
91# Create and mount on directories in /.
92allow init rootfs:dir create_dir_perms;
93allow init {
94    rootfs
95    cache_file
96    cgroup
97    linkerconfig_file
98    storage_file
99    mnt_user_file
100    system_data_file
101    system_data_root_file
102    system_dlkm_file
103    system_file
104    vendor_file
105    postinstall_mnt_dir
106    mirror_data_file
107}:dir mounton;
108
109# Mount bpf fs on sys/fs/bpf
110allow init fs_bpf:dir mounton;
111
112# Mount on /dev/usb-ffs/adb.
113allow init device:dir mounton;
114
115# Mount tmpfs on /apex
116allow init apex_mnt_dir:dir mounton;
117
118# Bind-mount on /system/apex/com.android.art
119allow init art_apex_dir:dir mounton;
120
121# Create and remove symlinks in /.
122allow init rootfs:lnk_file { create unlink };
123
124# Mount debugfs on /sys/kernel/debug.
125allow init sysfs:dir mounton;
126
127# Create cgroups mount points in tmpfs and mount cgroups on them.
128allow init tmpfs:dir create_dir_perms;
129allow init tmpfs:dir mounton;
130allow init cgroup:dir create_dir_perms;
131allow init cgroup:file rw_file_perms;
132allow init cgroup_rc_file:file rw_file_perms;
133allow init cgroup_desc_file:file r_file_perms;
134allow init cgroup_desc_api_file:file r_file_perms;
135allow init vendor_cgroup_desc_file:file r_file_perms;
136allow init cgroup_v2:dir { mounton create_dir_perms};
137allow init cgroup_v2:file rw_file_perms;
138
139# /config
140allow init configfs:dir mounton;
141allow init configfs:dir create_dir_perms;
142allow init configfs:{ file lnk_file } create_file_perms;
143
144# /metadata
145allow init metadata_file:dir mounton;
146
147# Run restorecon on /dev
148allow init tmpfs:dir relabelfrom;
149
150# Create directories under /dev/cpuctl after chowning it to system.
151allow init self:global_capability_class_set { dac_override dac_read_search };
152
153# Set system clock.
154allow init self:global_capability_class_set sys_time;
155
156allow init self:global_capability_class_set { sys_rawio mknod };
157
158# Mounting filesystems from block devices.
159allow init dev_type:blk_file r_file_perms;
160allowxperm init dev_type:blk_file ioctl BLKROSET;
161allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
162
163# Mounting filesystems.
164# Only allow relabelto for types used in context= mount options,
165# which should all be assigned the contextmount_type attribute.
166# This can be done in device-specific policy via type or typeattribute
167# declarations.
168allow init {
169  fs_type
170  enforce_debugfs_restriction(`-debugfs_type')
171}:filesystem ~relabelto;
172
173# Allow init to mount/unmount debugfs in non-user builds.
174enforce_debugfs_restriction(`
175  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
176')
177
178# Allow init to mount tracefs in /sys/kernel/tracing
179allow init debugfs_tracing_debug:filesystem mount;
180
181allow init unlabeled:filesystem ~relabelto;
182allow init contextmount_type:filesystem relabelto;
183
184# Allow read-only access to context= mounted filesystems.
185allow init contextmount_type:dir r_dir_perms;
186allow init contextmount_type:notdevfile_class_set r_file_perms;
187
188# restorecon /adb_keys or any other rootfs files and directories to a more
189# specific type.
190allow init rootfs:{ dir file } relabelfrom;
191
192# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
193# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
194# system/core/init.rc requires at least cache_file and data_file_type.
195# init.<board>.rc files often include device-specific types, so
196# we just allow all file types except /system files here.
197allow init self:global_capability_class_set { chown fowner fsetid };
198
199allow init {
200  file_type
201  -app_data_file
202  -bpffs_type
203  -exec_type
204  -misc_logd_file
205  -nativetest_data_file
206  -privapp_data_file
207  -system_app_data_file
208  -system_dlkm_file_type
209  -system_file_type
210  -vendor_file_type
211}:dir { create search getattr open read setattr ioctl };
212
213allow init {
214  file_type
215  -app_data_file
216  -bpffs_type
217  -credstore_data_file
218  -exec_type
219  -keystore_data_file
220  -media_userdir_file
221  -misc_logd_file
222  -nativetest_data_file
223  -privapp_data_file
224  -shell_data_file
225  -system_app_data_file
226  -system_dlkm_file_type
227  -system_file_type
228  -system_userdir_file
229  -vendor_file_type
230  -vendor_userdir_file
231  -vold_data_file
232}:dir { write add_name remove_name rmdir relabelfrom };
233
234allow init {
235  file_type
236  -apex_info_file
237  -app_data_file
238  -bpffs_type
239  -exec_type
240  -gsi_data_file
241  -credstore_data_file
242  -keystore_data_file
243  -misc_logd_file
244  -nativetest_data_file
245  -privapp_data_file
246  -runtime_event_log_tags_file
247  -shell_data_file
248  -system_app_data_file
249  -system_dlkm_file_type
250  -system_file_type
251  -vendor_file_type
252  -vold_data_file
253  enforce_debugfs_restriction(`-debugfs_type')
254}:file { create getattr open read write setattr relabelfrom unlink map };
255
256allow init tracefs_type:file { create_file_perms relabelfrom };
257
258# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
259# subcontext for action/service defined in APEXes.
260allow init apex_info_file:file r_file_perms;
261
262allow init {
263  file_type
264  -app_data_file
265  -bpffs_type
266  -exec_type
267  -gsi_data_file
268  -credstore_data_file
269  -keystore_data_file
270  -misc_logd_file
271  -nativetest_data_file
272  -privapp_data_file
273  -shell_data_file
274  -system_app_data_file
275  -system_dlkm_file_type
276  -system_file_type
277  -vendor_file_type
278  -vold_data_file
279}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
280
281allow init {
282  file_type
283  -apex_mnt_dir
284  -app_data_file
285  -bpffs_type
286  -exec_type
287  -gsi_data_file
288  -credstore_data_file
289  -keystore_data_file
290  -misc_logd_file
291  -nativetest_data_file
292  -privapp_data_file
293  -shell_data_file
294  -system_app_data_file
295  -system_dlkm_file_type
296  -system_file_type
297  -vendor_file_type
298  -vold_data_file
299}:lnk_file { create getattr setattr relabelfrom unlink };
300
301allow init cache_file:lnk_file r_file_perms;
302
303allow init {
304  file_type
305  -bpffs_type
306  -system_dlkm_file_type
307  -system_file_type
308  -vendor_file_type
309  -exec_type
310  -app_data_file
311  -privapp_data_file
312}:dir_file_class_set relabelto;
313
314allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
315allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
316allow init dev_type:dir create_dir_perms;
317allow init dev_type:lnk_file create;
318
319# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
320allow init debugfs_tracing:file w_file_perms;
321
322# Setup and control wifi event tracing (see wifi-events.rc)
323allow init debugfs_tracing_instances:dir create_dir_perms;
324allow init debugfs_tracing_instances:file w_file_perms;
325allow init debugfs_wifi_tracing:file w_file_perms;
326
327# chown/chmod on pseudo files.
328allow init {
329  fs_type
330  -bpffs_type
331  -contextmount_type
332  -keychord_device
333  -proc_type
334  -sdcard_type
335  -fusefs_type
336  -sysfs_type
337  -rootfs
338  enforce_debugfs_restriction(`-debugfs_type')
339}:file { open read setattr };
340allow init {
341  fs_type
342  -bpffs_type
343  -contextmount_type
344  -sdcard_type
345  -fusefs_type
346  -rootfs
347}:dir { open read setattr search };
348
349allow init {
350  binder_device
351  console_device
352  devpts
353  dm_device
354  hwbinder_device
355  input_device
356  kmsg_device
357  null_device
358  owntty_device
359  pmsg_device
360  ptmx_device
361  random_device
362  tty_device
363  zero_device
364}:chr_file { read open };
365
366# Unlabeled file access for upgrades from 4.2.
367allow init unlabeled:dir { create_dir_perms relabelfrom };
368allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
369
370# Any operation that can modify the kernel ring buffer, e.g. clear
371# or a read that consumes the messages that were read.
372allow init kernel:system syslog_mod;
373allow init self:global_capability2_class_set syslog;
374
375# init access to /proc.
376r_dir_file(init, proc_net_type)
377allow init proc_filesystems:file r_file_perms;
378
379userdebug_or_eng(`
380  # Overlayfs workdir write access check during mount to permit remount,rw
381  allow init overlayfs_file:dir { relabelfrom mounton write };
382  allow init overlayfs_file:file { append rename };
383  allow init overlayfs_file:chr_file unlink;
384  allow init system_block_device:blk_file { write };
385')
386
387allow init {
388  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
389  proc_bootconfig
390  proc_cmdline
391  proc_diskstats
392  proc_kmsg # Open /proc/kmsg for logd service.
393  proc_meminfo
394  proc_stat # Read /proc/stat for bootchart.
395  proc_uptime
396  proc_version
397}:file r_file_perms;
398
399allow init {
400  proc_abi
401  proc_cpu_alignment
402  proc_dirty
403  proc_hostname
404  proc_hung_task
405  proc_extra_free_kbytes
406  proc_net_type
407  proc_max_map_count
408  proc_min_free_order_shift
409  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
410  proc_panic
411  proc_page_cluster
412  proc_perf
413  proc_sched
414  proc_sysrq
415  proc_watermark_boost_factor
416}:file w_file_perms;
417
418allow init {
419  proc_security
420}:file rw_file_perms;
421
422# init chmod/chown access to /proc files.
423allow init {
424  proc_cmdline
425  proc_bootconfig
426  proc_kmsg
427  proc_net
428  proc_pagetypeinfo
429  proc_qtaguid_stat
430  proc_slabinfo
431  proc_sysrq
432  proc_qtaguid_ctrl
433  proc_vmallocinfo
434}:file setattr;
435
436# init access to /sys files.
437allow init {
438  sysfs_android_usb
439  sysfs_dm_verity
440  sysfs_leds
441  sysfs_power
442  sysfs_fs_f2fs
443  sysfs_dm
444  sysfs_lru_gen_enabled
445}:file w_file_perms;
446
447allow init {
448  sysfs_dt_firmware_android
449  sysfs_fs_ext4_features
450}:file r_file_perms;
451
452allow init {
453  sysfs_zram
454}:file rw_file_perms;
455
456# allow init to create loop devices with /dev/loop-control
457allow init loop_control_device:chr_file rw_file_perms;
458allow init loop_device:blk_file rw_file_perms;
459allowxperm init loop_device:blk_file ioctl {
460  LOOP_SET_FD
461  LOOP_CLR_FD
462  LOOP_CTL_GET_FREE
463  LOOP_SET_BLOCK_SIZE
464  LOOP_SET_DIRECT_IO
465  LOOP_GET_STATUS
466  LOOP_SET_STATUS64
467};
468
469# Allow init to write to vibrator/trigger
470allow init sysfs_vibrator:file w_file_perms;
471
472# init chmod/chown access to /sys files.
473allow init {
474  sysfs_android_usb
475  sysfs_devices_system_cpu
476  sysfs_ipv4
477  sysfs_leds
478  sysfs_lowmemorykiller
479  sysfs_power
480  sysfs_vibrator
481  sysfs_wake_lock
482  sysfs_zram
483}:file setattr;
484
485# Set usermodehelpers.
486allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
487
488allow init self:global_capability_class_set net_admin;
489
490# Reboot.
491allow init self:global_capability_class_set sys_boot;
492
493# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
494# Init will also walk through the directory as part of a recursive restorecon.
495allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
496allow init misc_logd_file:file { open create getattr setattr write };
497
498# Support "adb shell stop"
499allow init self:global_capability_class_set kill;
500allow init domain:process { getpgid sigkill signal };
501
502# Init creates credstore's directory on boot, and walks through
503# the directory as part of a recursive restorecon.
504allow init credstore_data_file:dir { open create read getattr setattr search };
505allow init credstore_data_file:file { getattr };
506
507# Init creates keystore's directory on boot, and walks through
508# the directory as part of a recursive restorecon.
509allow init keystore_data_file:dir { open create read getattr setattr search };
510allow init keystore_data_file:file { getattr };
511
512# Init creates vold's directory on boot, and walks through
513# the directory as part of a recursive restorecon.
514allow init vold_data_file:dir { open create read getattr setattr search };
515allow init vold_data_file:file { getattr };
516
517# Init creates /data/local/tmp at boot
518allow init shell_data_file:dir { open create read getattr setattr search };
519allow init shell_data_file:file { getattr };
520
521# Set UID, GID, and adjust capability bounding set for services.
522allow init self:global_capability_class_set { setuid setgid setpcap };
523
524# For bootchart to read the /proc/$pid/cmdline file of each process,
525# we need to have following line to allow init to have access
526# to different domains.
527r_dir_file(init, domain)
528
529# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
530# setexec is for services with seclabel options.
531# setfscreate is for labeling directories and socket files.
532# setsockcreate is for labeling local/unix domain sockets.
533allow init self:process { setexec setfscreate setsockcreate };
534
535# Get file context
536allow init file_contexts_file:file r_file_perms;
537
538# sepolicy access
539allow init sepolicy_file:file r_file_perms;
540
541# Perform SELinux access checks on setting properties.
542selinux_check_access(init)
543
544# Ask the kernel for the new context on services to label their sockets.
545allow init kernel:security compute_create;
546
547# Create sockets for the services.
548allow init domain:unix_stream_socket { create bind setopt };
549allow init domain:unix_dgram_socket { create bind setopt };
550
551# Create /data/property and files within it.
552allow init property_data_file:dir create_dir_perms;
553allow init property_data_file:file create_file_perms;
554
555# Set any property.
556allow init property_type:property_service set;
557
558# Send an SELinux userspace denial to the kernel audit subsystem,
559# so it can be picked up and processed by logd. These denials are
560# generated when an attempt to set a property is denied by policy.
561allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
562allow init self:global_capability_class_set audit_write;
563
564# Run "ifup lo" to bring up the localhost interface
565allow init self:udp_socket { create ioctl };
566# in addition to unpriv ioctls granted to all domains, init also needs:
567allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
568allow init self:global_capability_class_set net_raw;
569
570# Set scheduling info for psi monitor thread.
571# TODO: delete or revise this line b/131761776
572allow init kernel:process { getsched setsched };
573
574# swapon() needs write access to swap device
575# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
576allow init swap_block_device:blk_file rw_file_perms;
577
578# Create and access /dev files without a specific type,
579# e.g. /dev/.coldboot_done, /dev/.booting
580# TODO:  Move these files into their own type unless they are
581# only ever accessed by init.
582allow init device:file create_file_perms;
583
584# keychord retrieval from /dev/input/ devices
585allow init input_device:dir r_dir_perms;
586allow init input_device:chr_file rw_file_perms;
587
588# Access device mapper for setting up dm-verity
589allow init dm_device:chr_file rw_file_perms;
590allow init dm_device:blk_file rw_file_perms;
591
592# Access dm-user for OTA boot
593allow init dm_user_device:chr_file rw_file_perms;
594
595# Access metadata block device for storing dm-verity state
596allow init metadata_block_device:blk_file rw_file_perms;
597
598# Read /sys/fs/pstore/console-ramoops to detect restarts caused
599# by dm-verity detecting corrupted blocks
600allow init pstorefs:dir search;
601allow init pstorefs:file r_file_perms;
602allow init kernel:system syslog_read;
603
604# linux keyring configuration
605allow init init:key { write search setattr };
606
607# Allow init to create /data/unencrypted
608allow init unencrypted_data_file:dir create_dir_perms;
609
610# Set encryption policy on dirs in /data
611allowxperm init { data_file_type unlabeled }:dir ioctl {
612  FS_IOC_GET_ENCRYPTION_POLICY
613  FS_IOC_SET_ENCRYPTION_POLICY
614};
615
616# Raw writes to misc block device
617allow init misc_block_device:blk_file w_file_perms;
618
619r_dir_file(init, system_file)
620r_dir_file(init, system_dlkm_file_type)
621r_dir_file(init, vendor_file_type)
622
623allow init system_data_file:file { getattr read };
624allow init system_data_file:lnk_file r_file_perms;
625
626# For init to be able to run shell scripts from vendor
627allow init vendor_shell_exec:file execute;
628
629# Metadata setup
630allow init vold_metadata_file:dir create_dir_perms;
631allow init vold_metadata_file:file getattr;
632allow init metadata_bootstat_file:dir create_dir_perms;
633allow init metadata_bootstat_file:file w_file_perms;
634allow init userspace_reboot_metadata_file:file w_file_perms;
635
636# Allow init to touch PSI monitors
637allow init proc_pressure_mem:file { rw_file_perms setattr };
638
639# init is using bootstrap bionic
640use_bootstrap_libs(init)
641
642# stat the root dir of fuse filesystems (for the mount handler)
643allow init fuse:dir { search getattr };
644
645# allow filesystem tuning
646allow init userdata_sysdev:file create_file_perms;
647
648# allow disk tuning
649allow init rootdisk_sysdev:file create_file_perms;
650
651###
652### neverallow rules
653###
654
655# The init domain is only entered via an exec based transition from the
656# kernel domain, never via setcon().
657neverallow domain init:process dyntransition;
658neverallow { domain -kernel } init:process transition;
659neverallow init { file_type fs_type -init_exec }:file entrypoint;
660
661# Never read/follow symlinks created by shell or untrusted apps.
662neverallow init shell_data_file:lnk_file read;
663neverallow init { app_data_file privapp_data_file }:lnk_file read;
664
665# init should never execute a program without changing to another domain.
666neverallow init { file_type fs_type }:file execute_no_trans;
667
668# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
669# when init is executing other binaries. The use of LD_PRELOAD for init spawned
670# services is generally considered a no-no, as it injects libraries which the
671# binary was not expecting. This is especially problematic for APEXes. The use
672# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
673# code into a process which wasn't expecting that code, with potentially
674# unexpected side effects. (b/140789528)
675neverallow init *:process noatsecure;
676
677# init can never add binder services
678neverallow init service_manager_type:service_manager { add find };
679# init can never list binder services
680neverallow init servicemanager:service_manager list;
681
682# Init should not be creating subdirectories in /data/local/tmp
683neverallow init shell_data_file:dir { write add_name remove_name };
684
685# Init should not access sysfs node that are not explicitly labeled.
686neverallow init sysfs:file { open write };
687
688# No domain should be allowed to ptrace init.
689neverallow * init:process ptrace;
690
691# init owns the root of /data
692# TODO(b/140259336) We want to remove vendor_init
693# TODO(b/141108496) We want to remove toolbox
694neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
695