1typeattribute init coredomain; 2 3tmpfs_domain(init) 4 5# Transitions to seclabel processes in init.rc 6domain_trans(init, rootfs, slideshow) 7domain_auto_trans(init, charger_exec, charger) 8domain_auto_trans(init, e2fs_exec, e2fs) 9domain_auto_trans(init, bpfloader_exec, bpfloader) 10 11recovery_only(` 12 # Files in recovery image are labeled as rootfs. 13 domain_trans(init, rootfs, adbd) 14 domain_trans(init, rootfs, hal_bootctl_server) 15 domain_trans(init, rootfs, charger) 16 domain_trans(init, rootfs, fastbootd) 17 domain_trans(init, rootfs, hal_fastboot_server) 18 domain_trans(init, rootfs, hal_health_server) 19 domain_trans(init, rootfs, recovery) 20 domain_trans(init, rootfs, linkerconfig) 21 domain_trans(init, rootfs, servicemanager) 22 domain_trans(init, rootfs, snapuserd) 23') 24domain_trans(init, shell_exec, shell) 25domain_trans(init, init_exec, ueventd) 26domain_trans(init, init_exec, vendor_init) 27domain_trans(init, { rootfs toolbox_exec }, modprobe) 28userdebug_or_eng(` 29 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 30 domain_auto_trans(init, logcat_exec, logpersist) 31 32 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 33 allow init su:process transition; 34 dontaudit init su:process noatsecure; 35 allow init su:process { siginh rlimitinh }; 36') 37 38# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 39# This is useful in case of remounting ext4 userdata into checkpointing mode, 40# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 41# that userdata is mounted onto. 42allow init sysfs_dm:file read; 43 44# Allow init to modify the properties of loop devices. 45allow init sysfs_loop:dir r_dir_perms; 46allow init sysfs_loop:file rw_file_perms; 47 48# Allow init to examine the properties of block devices. 49allow init sysfs_type:file { getattr read }; 50# Allow init get the attributes of block devices in /dev/block. 51allow init dev_type:dir r_dir_perms; 52allow init dev_type:blk_file getattr; 53 54# Allow init to write to the drop_caches file. 55allow init proc_drop_caches:file rw_file_perms; 56 57# Allow the BoringSSL self test to request a reboot upon failure 58set_prop(init, powerctl_prop) 59 60set_prop(init, userspace_reboot_exported_prop) 61 62# Second-stage init performs a test for whether the kernel has SELinux hooks 63# for the perf_event_open() syscall. This is done by testing for the syscall 64# outcomes corresponding to this policy. 65# TODO(b/137092007): this can be removed once the platform stops supporting 66# kernels that precede the perf_event_open hooks (Android common kernels 4.4 67# and 4.9). 68allow init self:perf_event { open cpu }; 69allow init self:global_capability2_class_set perfmon; 70 71# Allow opening /proc/kallsyms so that on boot, init can create and retain an 72# fd with the full address visibility (which is evaluated on open and persists 73# for the lifetime of the open file description). This fd can then be shared 74# with other privileged processes. 75allow init proc_kallsyms:file r_file_perms; 76 77# Allow init to communicate with snapuserd to transition Virtual A/B devices 78# from the first-stage daemon to the second-stage. 79allow init snapuserd_socket:sock_file write; 80allow init snapuserd:unix_stream_socket connectto; 81# Allow for libsnapshot's use of flock() on /metadata/ota. 82allow init ota_metadata_file:dir lock; 83 84# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 85# /dev/block. 86allow init vd_device:blk_file relabelto; 87 88set_prop(init, init_perf_lsm_hooks_prop) 89set_prop(init, vts_status_prop) 90 91# Allow init to set 16kb app compatibility props 92set_prop(init, bionic_linker_16kb_app_compat_prop) 93set_prop(init, pm_16kb_app_compat_prop) 94 95 96# Allow init to set/get prefetch boot prop to initiate record/replay 97set_prop(init, ctl_prefetch_prop); 98 99# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 100allow init debugfs_bootreceiver_tracing:file w_file_perms; 101 102# PRNG seeder daemon socket is created and listened on by init before forking. 103allow init prng_seeder:unix_stream_socket { create bind listen }; 104 105# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will 106# attempt to write a non exisiting 'synthetic_events' file, when setting 107# up synthetic events. This is a no-op in tracefs. 108dontaudit init debugfs_tracing_debug:dir { write add_name }; 109 110# chown/chmod on devices. 111allow init { 112 dev_type 113 -hw_random_device 114 -keychord_device 115 -vm_manager_device_type 116 -port_device 117}:chr_file setattr; 118 119# /dev/__null__ node created by init. 120allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; 121 122# 123# init direct restorecon calls. 124# 125# /dev/kmsg 126allow init tmpfs:chr_file relabelfrom; 127allow init kmsg_device:chr_file { getattr write relabelto }; 128# /dev/kmsg_debug 129userdebug_or_eng(` 130 allow init kmsg_debug_device:chr_file { open write relabelto }; 131') 132# /mnt/vm, also permissions to mkdir / mount / chmod / chown 133allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton }; 134 135# allow init to mount and unmount debugfs in debug builds 136userdebug_or_eng(` 137 allow init debugfs:dir mounton; 138') 139 140# /dev/__properties__ 141allow init properties_device:dir relabelto; 142allow init properties_serial:file { write relabelto }; 143allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; 144# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info 145allow init properties_device:file create_file_perms; 146allow init property_info:file relabelto; 147# /dev/event-log-tags 148allow init device:file relabelfrom; 149allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; 150# /dev/socket 151allow init { device socket_device dm_user_device }:dir relabelto; 152# allow init to establish connection and communicate with lmkd 153unix_socket_connect(init, lmkd, lmkd) 154# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random 155# and /dev/urandom 156allow init { console_device null_device ptmx_device random_device } : chr_file relabelto; 157# /dev/device-mapper, /dev/block(/.*)? 158allow init tmpfs:{ chr_file blk_file } relabelfrom; 159allow init tmpfs:blk_file getattr; 160allow init block_device:{ dir blk_file lnk_file } relabelto; 161allow init dm_device:{ chr_file blk_file } relabelto; 162allow init dm_user_device:chr_file relabelto; 163allow init kernel:fd use; 164# restorecon for early mount device symlinks 165allow init tmpfs:lnk_file { getattr read relabelfrom }; 166allow init { 167 metadata_block_device 168 misc_block_device 169 recovery_block_device 170 system_block_device 171 userdata_block_device 172}:{ blk_file lnk_file } relabelto; 173 174allow init dtbo_block_device:lnk_file relabelto; 175allow init super_block_device:lnk_file relabelto; 176 177# Create /mnt/sdcard -> /storage/self/primary symlink. 178allow init mnt_sdcard_file:lnk_file create; 179 180# setrlimit 181allow init self:global_capability_class_set sys_resource; 182 183# Remove /dev/.booting and load /debug_ramdisk/* files 184allow init tmpfs:file { getattr unlink }; 185 186# Access pty created for fsck. 187allow init devpts:chr_file { read write open }; 188 189# Create /dev/fscklogs files. 190allow init fscklogs:file create_file_perms; 191 192# Access /dev/__null__ node created prior to initial policy load. 193allow init tmpfs:chr_file write; 194 195# Access /dev/console. 196allow init console_device:chr_file rw_file_perms; 197 198# Access /dev/tty0. 199allow init tty_device:chr_file rw_file_perms; 200 201# Call mount(2). 202allow init self:global_capability_class_set sys_admin; 203 204# Call setns(2). 205allow init self:global_capability_class_set sys_chroot; 206 207# Create and mount on directories in /. 208allow init rootfs:dir create_dir_perms; 209allow init { 210 rootfs 211 cache_file 212 cgroup 213 linkerconfig_file 214 storage_file 215 mnt_user_file 216 system_data_file 217 system_data_root_file 218 system_dlkm_file 219 system_file 220 vendor_file 221 postinstall_mnt_dir 222 mirror_data_file 223 shell_data_file 224}:dir mounton; 225 226# Mount bpf fs on sys/fs/bpf 227allow init fs_bpf:dir mounton; 228 229# Mount on /dev/usb-ffs/adb. 230allow init device:dir mounton; 231 232# Mount tmpfs on /apex 233allow init apex_mnt_dir:dir mounton; 234 235# Bind-mount on /system/apex/com.android.art 236allow init art_apex_dir:dir mounton; 237 238# Create and remove symlinks in /. 239allow init rootfs:lnk_file { create unlink }; 240 241# Mount debugfs on /sys/kernel/debug. 242allow init sysfs:dir mounton; 243 244# Create cgroups mount points in tmpfs and mount cgroups on them. 245allow init tmpfs:dir create_dir_perms; 246allow init tmpfs:dir mounton; 247allow init cgroup:dir create_dir_perms; 248allow init cgroup:file rw_file_perms; 249allow init cgroup_rc_file:file rw_file_perms; 250allow init cgroup_desc_file:file r_file_perms; 251allow init vendor_cgroup_desc_file:file r_file_perms; 252allow init cgroup_v2:dir { mounton create_dir_perms}; 253allow init cgroup_v2:file rw_file_perms; 254 255# /config 256allow init configfs:dir mounton; 257allow init configfs:dir create_dir_perms; 258allow init configfs:{ file lnk_file } create_file_perms; 259 260# /metadata 261allow init metadata_file:dir mounton; 262 263# Run restorecon on /dev 264allow init tmpfs:dir relabelfrom; 265 266# Create directories under /dev/cpuctl after chowning it to system. 267allow init self:global_capability_class_set { dac_override dac_read_search }; 268 269# Set system clock. 270allow init self:global_capability_class_set sys_time; 271 272allow init self:global_capability_class_set { sys_rawio mknod }; 273 274# Mounting filesystems from block devices. 275allow init dev_type:blk_file r_file_perms; 276allowxperm init dev_type:blk_file ioctl BLKROSET; 277allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN; 278 279# Mounting filesystems. 280# Only allow relabelto for types used in context= mount options, 281# which should all be assigned the contextmount_type attribute. 282# This can be done in device-specific policy via type or typeattribute 283# declarations. 284allow init { 285 fs_type 286 enforce_debugfs_restriction(`-debugfs_type') 287}:filesystem ~relabelto; 288 289# Allow init to mount/unmount debugfs in non-user builds. 290enforce_debugfs_restriction(` 291 userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };') 292') 293 294# Allow init to mount tracefs in /sys/kernel/tracing 295allow init debugfs_tracing_debug:filesystem mount; 296 297allow init unlabeled:filesystem ~relabelto; 298allow init contextmount_type:filesystem relabelto; 299 300# Allow read-only access to context= mounted filesystems. 301allow init contextmount_type:dir r_dir_perms; 302allow init contextmount_type:notdevfile_class_set r_file_perms; 303 304# restorecon /adb_keys or any other rootfs files and directories to a more 305# specific type. 306allow init rootfs:{ dir file } relabelfrom; 307 308# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 309# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 310# system/core/init.rc requires at least cache_file and data_file_type. 311# init.<board>.rc files often include device-specific types, so 312# we just allow all file types except /system files here. 313allow init self:global_capability_class_set { chown fowner fsetid }; 314 315allow init { 316 file_type 317 -app_data_file 318 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 319 -storage_area_dir 320 -storage_area_app_dir 321 -storage_area_content_file 322 ') 323 -vm_data_file 324 -bpffs_type 325 -exec_type 326 -misc_logd_file 327 -nativetest_data_file 328 -privapp_data_file 329 -system_app_data_file 330 -system_dlkm_file_type 331 -system_file_type 332 -vendor_file_type 333}:dir { create search getattr open read setattr ioctl }; 334 335allow init { 336 file_type 337 -app_data_file 338 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 339 -storage_area_dir 340 -storage_area_app_dir 341 -storage_area_content_file 342 ') 343 -vm_data_file 344 -bpffs_type 345 -credstore_data_file 346 -exec_type 347 -keystore_data_file 348 -media_userdir_file 349 -misc_logd_file 350 -nativetest_data_file 351 -privapp_data_file 352 -shell_data_file 353 -system_app_data_file 354 -system_dlkm_file_type 355 -system_file_type 356 -system_userdir_file 357 -vendor_file_type 358 -vendor_userdir_file 359 -vold_data_file 360}:dir { write add_name remove_name rmdir relabelfrom }; 361 362allow init { 363 file_type 364 -apex_info_file 365 -app_data_file 366 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 367 -storage_area_dir 368 -storage_area_app_dir 369 -storage_area_content_file 370 ') 371 -vm_data_file 372 -bpffs_type 373 -exec_type 374 -gsi_data_file 375 -credstore_data_file 376 -keystore_data_file 377 -misc_logd_file 378 -nativetest_data_file 379 -privapp_data_file 380 -runtime_event_log_tags_file 381 -shell_data_file 382 -system_app_data_file 383 -system_dlkm_file_type 384 -system_file_type 385 -vendor_file_type 386 -vold_data_file 387 enforce_debugfs_restriction(`-debugfs_type') 388}:file { create getattr open read write setattr relabelfrom unlink map }; 389 390allow init tracefs_type:file { create_file_perms relabelfrom }; 391 392# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine 393# subcontext for action/service defined in APEXes. 394allow init apex_info_file:file r_file_perms; 395 396allow init { 397 file_type 398 -app_data_file 399 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 400 -storage_area_dir 401 -storage_area_app_dir 402 -storage_area_content_file 403 ') 404 -vm_data_file 405 -bpffs_type 406 -exec_type 407 -gsi_data_file 408 -credstore_data_file 409 -keystore_data_file 410 -misc_logd_file 411 -nativetest_data_file 412 -privapp_data_file 413 -shell_data_file 414 -system_app_data_file 415 -system_dlkm_file_type 416 -system_file_type 417 -vendor_file_type 418 -vold_data_file 419}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 420 421allow init { 422 file_type 423 -apex_mnt_dir 424 -app_data_file 425 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 426 -storage_area_dir 427 -storage_area_app_dir 428 -storage_area_content_file 429 ') 430 -vm_data_file 431 -bpffs_type 432 -exec_type 433 -gsi_data_file 434 -credstore_data_file 435 -keystore_data_file 436 -misc_logd_file 437 -nativetest_data_file 438 -privapp_data_file 439 -shell_data_file 440 -system_app_data_file 441 -system_dlkm_file_type 442 -system_file_type 443 -vendor_file_type 444 -vold_data_file 445}:lnk_file { create getattr setattr relabelfrom unlink }; 446 447allow init cache_file:lnk_file r_file_perms; 448 449allow init { 450 file_type 451 -bpffs_type 452 -system_dlkm_file_type 453 -system_file_type 454 -vendor_file_type 455 -exec_type 456 -app_data_file 457 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 458 -storage_area_dir 459 -storage_area_app_dir 460 -storage_area_content_file 461 ') 462 -vm_data_file 463 -privapp_data_file 464}:dir_file_class_set relabelto; 465 466allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; 467allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr }; 468allow init dev_type:dir create_dir_perms; 469allow init dev_type:lnk_file create; 470 471# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on 472allow init debugfs_tracing:file w_file_perms; 473 474# Setup and control wifi event tracing (see wifi-events.rc) 475allow init debugfs_tracing_instances:dir create_dir_perms; 476allow init debugfs_tracing_instances:file w_file_perms; 477allow init debugfs_wifi_tracing:file w_file_perms; 478allow init debugfs_wifi_tracing:dir create_dir_perms; 479 480# chown/chmod on pseudo files. 481allow init { 482 fs_type 483 -bpffs_type 484 -contextmount_type 485 -keychord_device 486 -proc_type 487 -sdcard_type 488 -fusefs_type 489 -sysfs_type 490 -rootfs 491 enforce_debugfs_restriction(`-debugfs_type') 492}:file { open read setattr }; 493allow init { 494 fs_type 495 -bpffs_type 496 -contextmount_type 497 -sdcard_type 498 -fusefs_type 499 -rootfs 500}:dir { open read setattr search }; 501 502allow init { 503 binder_device 504 console_device 505 devpts 506 dm_device 507 hwbinder_device 508 input_device 509 kmsg_device 510 null_device 511 owntty_device 512 pmsg_device 513 ptmx_device 514 random_device 515 tty_device 516 zero_device 517}:chr_file { read open }; 518 519# Unlabeled file access for upgrades from 4.2. 520allow init unlabeled:dir { create_dir_perms relabelfrom }; 521allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 522 523# Any operation that can modify the kernel ring buffer, e.g. clear 524# or a read that consumes the messages that were read. 525allow init kernel:system syslog_mod; 526allow init self:global_capability2_class_set syslog; 527 528# init access to /proc. 529r_dir_file(init, proc_net_type) 530allow init proc_filesystems:file r_file_perms; 531 532userdebug_or_eng(` 533 # Overlayfs workdir write access check during mount to permit remount,rw 534 allow init overlayfs_file:dir { relabelfrom mounton write }; 535 allow init overlayfs_file:file { append rename }; 536 allow init overlayfs_file:chr_file unlink; 537 allow init system_block_device:blk_file { write }; 538') 539 540allow init { 541 proc # b/67049235 processes /proc/<pid>/* files are mislabeled. 542 proc_allocinfo 543 proc_bootconfig 544 proc_cmdline 545 proc_diskstats 546 proc_kmsg # Open /proc/kmsg for logd service. 547 proc_meminfo 548 proc_stat # Read /proc/stat for bootchart. 549 proc_uptime 550 proc_version 551}:file r_file_perms; 552 553allow init { 554 proc_abi 555 proc_cpu_alignment 556 proc_dirty 557 proc_hostname 558 proc_hung_task 559 proc_extra_free_kbytes 560 proc_net_type 561 proc_max_map_count 562 proc_min_free_order_shift 563 proc_overcommit_memory # /proc/sys/vm/overcommit_memory 564 proc_panic 565 proc_page_cluster 566 proc_perf 567 proc_sched 568 proc_sysrq 569 proc_watermark_boost_factor 570}:file w_file_perms; 571 572allow init { 573 proc_security 574}:file rw_file_perms; 575 576# init chmod/chown access to /proc files. 577allow init { 578 proc_allocinfo 579 proc_cmdline 580 proc_bootconfig 581 proc_kmsg 582 proc_net 583 proc_pagetypeinfo 584 proc_qtaguid_stat 585 proc_slabinfo 586 proc_sysrq 587 proc_qtaguid_ctrl 588 proc_vmallocinfo 589}:file setattr; 590 591# init access to /sys files. 592allow init { 593 sysfs_android_usb 594 sysfs_dm_verity 595 sysfs_leds 596 sysfs_power 597 sysfs_fs_f2fs 598 sysfs_dm 599 sysfs_lru_gen_enabled 600 sysfs_pgsize_migration 601}:file w_file_perms; 602 603allow init { 604 sysfs_dt_firmware_android 605 sysfs_fs_ext4_features 606}:file r_file_perms; 607 608allow init { 609 sysfs_zram 610}:file rw_file_perms; 611 612# allow init to create loop devices with /dev/loop-control 613allow init loop_control_device:chr_file rw_file_perms; 614allow init loop_device:blk_file rw_file_perms; 615allowxperm init loop_device:blk_file ioctl { 616 LOOP_SET_FD 617 LOOP_CLR_FD 618 LOOP_CTL_GET_FREE 619 LOOP_SET_BLOCK_SIZE 620 LOOP_SET_DIRECT_IO 621 LOOP_GET_STATUS 622 LOOP_SET_STATUS64 623}; 624 625# Allow init to write to vibrator/trigger 626allow init sysfs_vibrator:file w_file_perms; 627 628# init chmod/chown access to /sys files. 629allow init { 630 sysfs_android_usb 631 sysfs_devices_system_cpu 632 sysfs_firmware_acpi_tables 633 sysfs_ipv4 634 sysfs_leds 635 sysfs_lowmemorykiller 636 sysfs_power 637 sysfs_vibrator 638 sysfs_wake_lock 639 sysfs_zram 640}:file setattr; 641 642# Set usermodehelpers. 643allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; 644 645allow init self:global_capability_class_set net_admin; 646 647# Reboot. 648allow init self:global_capability_class_set sys_boot; 649 650# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". 651# Init will also walk through the directory as part of a recursive restorecon. 652allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; 653allow init misc_logd_file:file { open create getattr setattr write }; 654 655# Support "adb shell stop" 656allow init self:global_capability_class_set kill; 657allow init domain:process { getpgid sigkill signal }; 658 659# Init creates credstore's directory on boot, and walks through 660# the directory as part of a recursive restorecon. 661allow init credstore_data_file:dir { open create read getattr setattr search }; 662allow init credstore_data_file:file { getattr }; 663 664# Init creates keystore's directory on boot, and walks through 665# the directory as part of a recursive restorecon. 666allow init keystore_data_file:dir { open create read getattr setattr search }; 667allow init keystore_data_file:file { getattr }; 668 669# Init creates vold's directory on boot, and walks through 670# the directory as part of a recursive restorecon. 671allow init vold_data_file:dir { open create read getattr setattr search }; 672allow init vold_data_file:file { getattr }; 673 674# Init creates /data/local/tmp at boot 675allow init shell_data_file:dir { open create read getattr setattr search }; 676allow init shell_data_file:file { getattr }; 677 678# Set UID, GID, and adjust capability bounding set for services. 679allow init self:global_capability_class_set { setuid setgid setpcap }; 680 681# For bootchart to read the /proc/$pid/cmdline file of each process, 682# we need to have following line to allow init to have access 683# to different domains. 684r_dir_file(init, domain) 685 686# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 687# setexec is for services with seclabel options. 688# setfscreate is for labeling directories and socket files. 689# setsockcreate is for labeling local/unix domain sockets. 690allow init self:process { setexec setfscreate setsockcreate }; 691 692# Get file context 693allow init file_contexts_file:file r_file_perms; 694 695# sepolicy access 696allow init sepolicy_file:file r_file_perms; 697 698# Perform SELinux access checks on setting properties. 699selinux_check_access(init) 700 701# Ask the kernel for the new context on services to label their sockets. 702allow init kernel:security compute_create; 703 704# Create sockets for the services. 705allow init domain:unix_stream_socket { create bind setopt }; 706allow init domain:unix_dgram_socket { create bind setopt }; 707 708# Create /data/property and files within it. 709allow init property_data_file:dir create_dir_perms; 710allow init property_data_file:file create_file_perms; 711 712# Set any property. 713allow init property_type:property_service set; 714 715# Send an SELinux userspace denial to the kernel audit subsystem, 716# so it can be picked up and processed by logd. These denials are 717# generated when an attempt to set a property is denied by policy. 718allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; 719allow init self:global_capability_class_set audit_write; 720 721# Run "ifup lo" to bring up the localhost interface 722allow init self:udp_socket { create ioctl }; 723# in addition to unpriv ioctls granted to all domains, init also needs: 724allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; 725allow init self:global_capability_class_set net_raw; 726 727# Set scheduling info for psi monitor thread. 728# TODO: delete or revise this line b/131761776 729allow init kernel:process { getsched setsched }; 730 731# swapon() needs write access to swap device 732# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 733allow init swap_block_device:blk_file rw_file_perms; 734# Allow to change group owner and permissions for new swap setup in mmd 735allow init swap_block_device:blk_file setattr; 736 737# Create and access /dev files without a specific type, 738# e.g. /dev/.coldboot_done, /dev/.booting 739# TODO: Move these files into their own type unless they are 740# only ever accessed by init. 741allow init device:file create_file_perms; 742 743# keychord retrieval from /dev/input/ devices 744allow init input_device:dir r_dir_perms; 745allow init input_device:chr_file rw_file_perms; 746 747# Access device mapper for setting up dm-verity 748allow init dm_device:chr_file rw_file_perms; 749allow init dm_device:blk_file rw_file_perms; 750 751# Access dm-user for OTA boot 752allow init dm_user_device:chr_file rw_file_perms; 753 754# Access metadata block device for storing dm-verity state 755allow init metadata_block_device:blk_file rw_file_perms; 756 757# Read /sys/fs/pstore/console-ramoops to detect restarts caused 758# by dm-verity detecting corrupted blocks 759allow init pstorefs:dir search; 760allow init pstorefs:file r_file_perms; 761allow init kernel:system syslog_read; 762 763# linux keyring configuration 764allow init init:key { write search setattr }; 765 766# Allow init to create /data/unencrypted 767allow init unencrypted_data_file:dir create_dir_perms; 768 769# Set encryption policy on dirs in /data 770allowxperm init { data_file_type unlabeled }:dir ioctl { 771 FS_IOC_GET_ENCRYPTION_POLICY 772 FS_IOC_SET_ENCRYPTION_POLICY 773}; 774 775# Raw writes to misc block device 776allow init misc_block_device:blk_file w_file_perms; 777 778r_dir_file(init, system_file) 779r_dir_file(init, system_dlkm_file_type) 780r_dir_file(init, vendor_file_type) 781 782allow init system_data_file:file { getattr read }; 783allow init system_data_file:lnk_file r_file_perms; 784 785# For init to be able to run shell scripts from vendor 786allow init vendor_shell_exec:file execute; 787 788# Metadata setup 789allow init vold_metadata_file:dir create_dir_perms; 790allow init vold_metadata_file:file getattr; 791allow init metadata_bootstat_file:dir create_dir_perms; 792allow init metadata_bootstat_file:file w_file_perms; 793allow init userspace_reboot_metadata_file:file w_file_perms; 794 795# Allow init to touch PSI monitors 796allow init proc_pressure_mem:file { rw_file_perms setattr }; 797 798# init is using bootstrap bionic 799use_bootstrap_libs(init) 800 801# stat the root dir of fuse filesystems (for the mount handler) 802allow init fuse:dir { search getattr }; 803 804# allow filesystem tuning 805allow init userdata_sysdev:file create_file_perms; 806 807# allow disk tuning 808allow init rootdisk_sysdev:file create_file_perms; 809 810# Allow updating the trade-in mode wipe indicator. 811allow init tradeinmode_metadata_file:file rw_file_perms; 812 813### 814### neverallow rules 815### 816 817# The init domain is only entered via an exec based transition from the 818# kernel domain, never via setcon(). 819neverallow domain init:process dyntransition; 820neverallow { domain -kernel userdebug_or_eng(`-overlay_remounter') } init:process transition; 821neverallow init { file_type fs_type -init_exec }:file entrypoint; 822 823# Never read/follow symlinks created by shell or untrusted apps. 824neverallow init shell_data_file:lnk_file read; 825neverallow init app_data_file_type:lnk_file read; 826 827# init should never execute a program without changing to another domain. 828neverallow init { file_type fs_type }:file execute_no_trans; 829 830# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed 831# when init is executing other binaries. The use of LD_PRELOAD for init spawned 832# services is generally considered a no-no, as it injects libraries which the 833# binary was not expecting. This is especially problematic for APEXes. The use 834# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads 835# code into a process which wasn't expecting that code, with potentially 836# unexpected side effects. (b/140789528) 837neverallow init *:process noatsecure; 838 839# init can never add binder services 840neverallow init service_manager_type:service_manager { add find }; 841# init can never list binder services 842neverallow init servicemanager:service_manager list; 843 844# Init should not be creating subdirectories in /data/local/tmp 845neverallow init shell_data_file:dir { write add_name remove_name }; 846 847# Init should not access sysfs node that are not explicitly labeled. 848neverallow init sysfs:file { open write }; 849 850# No domain should be allowed to ptrace init. 851neverallow * init:process ptrace; 852 853# init owns the root of /data 854# TODO(b/140259336) We want to remove vendor_init 855# TODO(b/141108496) We want to remove toolbox 856neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; 857 858# Only init is allowed to set userspace reboot related properties. 859neverallow { domain -init } userspace_reboot_exported_prop:property_service set; 860 861neverallow init self:perf_event { kernel tracepoint read write }; 862dontaudit init self:perf_event { kernel tracepoint read write }; 863 864# Only init is allowed to set the sysprop indicating whether perf_event_open() 865# SELinux hooks were detected. 866neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 867 868# Only init can write vts.native_server.on 869neverallow { domain -init } vts_status_prop:property_service set; 870 871# Only init can write normal ro.boot. properties 872neverallow { domain -init } bootloader_prop:property_service set; 873 874# Only init can write hal.instrumentation.enable 875neverallow { domain -init } hal_instrumentation_prop:property_service set; 876 877# Only init can write ro.property_service.version 878neverallow { domain -init } property_service_version_prop:property_service set; 879 880# Only init can set keystore.boot_level 881neverallow { domain -init } keystore_listen_prop:property_service set; 882