Lines Matching +full:- +full:- +full:init
1 typeattribute init coredomain;
3 tmpfs_domain(init)
5 # Transitions to seclabel processes in init.rc
6 domain_trans(init, rootfs, slideshow)
7 domain_auto_trans(init, charger_exec, charger)
8 domain_auto_trans(init, e2fs_exec, e2fs)
9 domain_auto_trans(init, bpfloader_exec, bpfloader)
13 domain_trans(init, rootfs, adbd)
14 domain_trans(init, rootfs, hal_bootctl_server)
15 domain_trans(init, rootfs, charger)
16 domain_trans(init, rootfs, fastbootd)
17 domain_trans(init, rootfs, hal_fastboot_server)
18 domain_trans(init, rootfs, hal_health_server)
19 domain_trans(init, rootfs, recovery)
20 domain_trans(init, rootfs, linkerconfig)
21 domain_trans(init, rootfs, servicemanager)
22 domain_trans(init, rootfs, snapuserd)
24 domain_trans(init, shell_exec, shell)
25 domain_trans(init, init_exec, ueventd)
26 domain_trans(init, init_exec, vendor_init)
27 domain_trans(init, { rootfs toolbox_exec }, modprobe)
29 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
30 domain_auto_trans(init, logcat_exec, logpersist)
32 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
33 allow init su:process transition;
34 dontaudit init su:process noatsecure;
35 allow init su:process { siginh rlimitinh };
38 # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
40 # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
42 allow init sysfs_dm:file read;
44 # Allow init to modify the properties of loop devices.
45 allow init sysfs_loop:dir r_dir_perms;
46 allow init sysfs_loop:file rw_file_perms;
48 # Allow init to examine the properties of block devices.
49 allow init sysfs_type:file { getattr read };
50 # Allow init get the attributes of block devices in /dev/block.
51 allow init dev_type:dir r_dir_perms;
52 allow init dev_type:blk_file getattr;
54 # Allow init to write to the drop_caches file.
55 allow init proc_drop_caches:file rw_file_perms;
58 set_prop(init, powerctl_prop)
60 set_prop(init, userspace_reboot_exported_prop)
62 # Second-stage init performs a test for whether the kernel has SELinux hooks
68 allow init self:perf_event { open cpu };
69 allow init self:global_capability2_class_set perfmon;
71 # Allow init to communicate with snapuserd to transition Virtual A/B devices
72 # from the first-stage daemon to the second-stage.
73 allow init snapuserd_socket:sock_file write;
74 allow init snapuserd:unix_stream_socket connectto;
76 allow init ota_metadata_file:dir lock;
78 # Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
80 allow init vd_device:blk_file relabelto;
82 set_prop(init, init_perf_lsm_hooks_prop)
83 set_prop(init, vts_status_prop)
85 # Allow init to set 16kb app compatibility props
86 set_prop(init, bionic_linker_16kb_app_compat_prop)
87 set_prop(init, pm_16kb_app_compat_prop)
90 # Allow init to set/get prefetch boot prop to initiate record/replay
91 set_prop(init, ctl_prefetch_prop);
94 allow init debugfs_bootreceiver_tracing:file w_file_perms;
96 # PRNG seeder daemon socket is created and listened on by init before forking.
97 allow init prng_seeder:unix_stream_socket { create bind listen };
101 # up synthetic events. This is a no-op in tracefs.
102 dontaudit init debugfs_tracing_debug:dir { write add_name };
105 allow init {
107 -hw_random_device
108 -keychord_device
109 -vm_manager_device_type
110 -port_device
113 # /dev/__null__ node created by init.
114 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
117 # init direct restorecon calls.
120 allow init tmpfs:chr_file relabelfrom;
121 allow init kmsg_device:chr_file { getattr write relabelto };
124 allow init kmsg_debug_device:chr_file { open write relabelto };
127 allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
129 # allow init to mount and unmount debugfs in debug builds
131 allow init debugfs:dir mounton;
135 allow init properties_device:dir relabelto;
136 allow init properties_serial:file { write relabelto };
137 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
139 allow init properties_device:file create_file_perms;
140 allow init property_info:file relabelto;
141 # /dev/event-log-tags
142 allow init device:file relabelfrom;
143 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
145 allow init { device socket_device dm_user_device }:dir relabelto;
146 # allow init to establish connection and communicate with lmkd
147 unix_socket_connect(init, lmkd, lmkd)
148 # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
150 allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
151 # /dev/device-mapper, /dev/block(/.*)?
152 allow init tmpfs:{ chr_file blk_file } relabelfrom;
153 allow init tmpfs:blk_file getattr;
154 allow init block_device:{ dir blk_file lnk_file } relabelto;
155 allow init dm_device:{ chr_file blk_file } relabelto;
156 allow init dm_user_device:chr_file relabelto;
157 allow init kernel:fd use;
159 allow init tmpfs:lnk_file { getattr read relabelfrom };
160 allow init {
168 allow init dtbo_block_device:lnk_file relabelto;
169 allow init super_block_device:lnk_file relabelto;
171 # Create /mnt/sdcard -> /storage/self/primary symlink.
172 allow init mnt_sdcard_file:lnk_file create;
175 allow init self:global_capability_class_set sys_resource;
178 allow init tmpfs:file { getattr unlink };
181 allow init devpts:chr_file { read write open };
184 allow init fscklogs:file create_file_perms;
187 allow init tmpfs:chr_file write;
190 allow init console_device:chr_file rw_file_perms;
193 allow init tty_device:chr_file rw_file_perms;
196 allow init self:global_capability_class_set sys_admin;
199 allow init self:global_capability_class_set sys_chroot;
202 allow init rootfs:dir create_dir_perms;
203 allow init {
221 allow init fs_bpf:dir mounton;
223 # Mount on /dev/usb-ffs/adb.
224 allow init device:dir mounton;
227 allow init apex_mnt_dir:dir mounton;
229 # Bind-mount on /system/apex/com.android.art
230 allow init art_apex_dir:dir mounton;
233 allow init rootfs:lnk_file { create unlink };
236 allow init sysfs:dir mounton;
239 allow init tmpfs:dir create_dir_perms;
240 allow init tmpfs:dir mounton;
241 allow init cgroup:dir create_dir_perms;
242 allow init cgroup:file rw_file_perms;
243 allow init cgroup_rc_file:file rw_file_perms;
244 allow init cgroup_desc_file:file r_file_perms;
245 allow init vendor_cgroup_desc_file:file r_file_perms;
246 allow init cgroup_v2:dir { mounton create_dir_perms};
247 allow init cgroup_v2:file rw_file_perms;
250 allow init configfs:dir mounton;
251 allow init configfs:dir create_dir_perms;
252 allow init configfs:{ file lnk_file } create_file_perms;
255 allow init metadata_file:dir mounton;
258 allow init tmpfs:dir relabelfrom;
261 allow init self:global_capability_class_set { dac_override dac_read_search };
264 allow init self:global_capability_class_set sys_time;
266 allow init self:global_capability_class_set { sys_rawio mknod };
269 allow init dev_type:blk_file r_file_perms;
270 allowxperm init dev_type:blk_file ioctl BLKROSET;
271 allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
276 # This can be done in device-specific policy via type or typeattribute
278 allow init {
280 enforce_debugfs_restriction(`-debugfs_type')
283 # Allow init to mount/unmount debugfs in non-user builds.
285 userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
288 # Allow init to mount tracefs in /sys/kernel/tracing
289 allow init debugfs_tracing_debug:filesystem mount;
291 allow init unlabeled:filesystem ~relabelto;
292 allow init contextmount_type:filesystem relabelto;
294 # Allow read-only access to context= mounted filesystems.
295 allow init contextmount_type:dir r_dir_perms;
296 allow init contextmount_type:notdevfile_class_set r_file_perms;
300 allow init rootfs:{ dir file } relabelfrom;
302 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
304 # system/core/init.rc requires at least cache_file and data_file_type.
305 # init.<board>.rc files often include device-specific types, so
307 allow init self:global_capability_class_set { chown fowner fsetid };
309 allow init {
311 -app_data_file
313 -storage_area_dir
314 -storage_area_app_dir
315 -storage_area_content_file
317 -vm_data_file
318 -bpffs_type
319 -exec_type
320 -misc_logd_file
321 -nativetest_data_file
322 -privapp_data_file
323 -system_app_data_file
324 -system_dlkm_file_type
325 -system_file_type
326 -vendor_file_type
329 allow init {
331 -app_data_file
333 -storage_area_dir
334 -storage_area_app_dir
335 -storage_area_content_file
337 -vm_data_file
338 -bpffs_type
339 -credstore_data_file
340 -exec_type
341 -keystore_data_file
342 -media_userdir_file
343 -misc_logd_file
344 -nativetest_data_file
345 -privapp_data_file
346 -shell_data_file
347 -system_app_data_file
348 -system_dlkm_file_type
349 -system_file_type
350 -system_userdir_file
351 -vendor_file_type
352 -vendor_userdir_file
353 -vold_data_file
356 allow init {
358 -apex_info_file
359 -app_data_file
361 -storage_area_dir
362 -storage_area_app_dir
363 -storage_area_content_file
365 -vm_data_file
366 -bpffs_type
367 -exec_type
368 -gsi_data_file
369 -credstore_data_file
370 -keystore_data_file
371 -misc_logd_file
372 -nativetest_data_file
373 -privapp_data_file
374 -runtime_event_log_tags_file
375 -shell_data_file
376 -system_app_data_file
377 -system_dlkm_file_type
378 -system_file_type
379 -vendor_file_type
380 -vold_data_file
381 enforce_debugfs_restriction(`-debugfs_type')
384 allow init tracefs_type:file { create_file_perms relabelfrom };
386 # Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
388 allow init apex_info_file:file r_file_perms;
390 allow init {
392 -app_data_file
394 -storage_area_dir
395 -storage_area_app_dir
396 -storage_area_content_file
398 -vm_data_file
399 -bpffs_type
400 -exec_type
401 -gsi_data_file
402 -credstore_data_file
403 -keystore_data_file
404 -misc_logd_file
405 -nativetest_data_file
406 -privapp_data_file
407 -shell_data_file
408 -system_app_data_file
409 -system_dlkm_file_type
410 -system_file_type
411 -vendor_file_type
412 -vold_data_file
415 allow init {
417 -apex_mnt_dir
418 -app_data_file
420 -storage_area_dir
421 -storage_area_app_dir
422 -storage_area_content_file
424 -vm_data_file
425 -bpffs_type
426 -exec_type
427 -gsi_data_file
428 -credstore_data_file
429 -keystore_data_file
430 -misc_logd_file
431 -nativetest_data_file
432 -privapp_data_file
433 -shell_data_file
434 -system_app_data_file
435 -system_dlkm_file_type
436 -system_file_type
437 -vendor_file_type
438 -vold_data_file
441 allow init cache_file:lnk_file r_file_perms;
443 allow init {
445 -bpffs_type
446 -system_dlkm_file_type
447 -system_file_type
448 -vendor_file_type
449 -exec_type
450 -app_data_file
452 -storage_area_dir
453 -storage_area_app_dir
454 -storage_area_content_file
456 -vm_data_file
457 -privapp_data_file
460 allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir …
461 allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file }…
462 allow init dev_type:dir create_dir_perms;
463 allow init dev_type:lnk_file create;
466 allow init debugfs_tracing:file w_file_perms;
468 # Setup and control wifi event tracing (see wifi-events.rc)
469 allow init debugfs_tracing_instances:dir create_dir_perms;
470 allow init debugfs_tracing_instances:file w_file_perms;
471 allow init debugfs_wifi_tracing:file w_file_perms;
472 allow init debugfs_wifi_tracing:dir create_dir_perms;
475 allow init {
477 -bpffs_type
478 -contextmount_type
479 -keychord_device
480 -proc_type
481 -sdcard_type
482 -fusefs_type
483 -sysfs_type
484 -rootfs
485 enforce_debugfs_restriction(`-debugfs_type')
487 allow init {
489 -bpffs_type
490 -contextmount_type
491 -sdcard_type
492 -fusefs_type
493 -rootfs
496 allow init {
514 allow init unlabeled:dir { create_dir_perms relabelfrom };
515 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
519 allow init kernel:system syslog_mod;
520 allow init self:global_capability2_class_set syslog;
522 # init access to /proc.
523 r_dir_file(init, proc_net_type)
524 allow init proc_filesystems:file r_file_perms;
528 allow init overlayfs_file:dir { relabelfrom mounton write };
529 allow init overlayfs_file:file { append rename };
530 allow init overlayfs_file:chr_file unlink;
531 allow init system_block_device:blk_file { write };
534 allow init {
546 allow init {
565 allow init {
569 # init chmod/chown access to /proc files.
570 allow init {
583 # init access to /sys files.
584 allow init {
595 allow init {
600 allow init {
604 # allow init to create loop devices with /dev/loop-control
605 allow init loop_control_device:chr_file rw_file_perms;
606 allow init loop_device:blk_file rw_file_perms;
607 allowxperm init loop_device:blk_file ioctl {
617 # Allow init to write to vibrator/trigger
618 allow init sysfs_vibrator:file w_file_perms;
620 # init chmod/chown access to /sys files.
621 allow init {
635 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
637 allow init self:global_capability_class_set net_admin;
640 allow init self:global_capability_class_set sys_boot;
642 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
643 # Init will also walk through the directory as part of a recursive restorecon.
644 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
645 allow init misc_logd_file:file { open create getattr setattr write };
648 allow init self:global_capability_class_set kill;
649 allow init domain:process { getpgid sigkill signal };
651 # Init creates credstore's directory on boot, and walks through
653 allow init credstore_data_file:dir { open create read getattr setattr search };
654 allow init credstore_data_file:file { getattr };
656 # Init creates keystore's directory on boot, and walks through
658 allow init keystore_data_file:dir { open create read getattr setattr search };
659 allow init keystore_data_file:file { getattr };
661 # Init creates vold's directory on boot, and walks through
663 allow init vold_data_file:dir { open create read getattr setattr search };
664 allow init vold_data_file:file { getattr };
666 # Init creates /data/local/tmp at boot
667 allow init shell_data_file:dir { open create read getattr setattr search };
668 allow init shell_data_file:file { getattr };
671 allow init self:global_capability_class_set { setuid setgid setpcap };
674 # we need to have following line to allow init to have access
676 r_dir_file(init, domain)
682 allow init self:process { setexec setfscreate setsockcreate };
685 allow init file_contexts_file:file r_file_perms;
688 allow init sepolicy_file:file r_file_perms;
691 selinux_check_access(init)
694 allow init kernel:security compute_create;
697 allow init domain:unix_stream_socket { create bind setopt };
698 allow init domain:unix_dgram_socket { create bind setopt };
701 allow init property_data_file:dir create_dir_perms;
702 allow init property_data_file:file create_file_perms;
705 allow init property_type:property_service set;
710 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
711 allow init self:global_capability_class_set audit_write;
714 allow init self:udp_socket { create ioctl };
715 # in addition to unpriv ioctls granted to all domains, init also needs:
716 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
717 allow init self:global_capability_class_set net_raw;
721 allow init kernel:process { getsched setsched };
724 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
725 allow init swap_block_device:blk_file rw_file_perms;
727 allow init swap_block_device:blk_file setattr;
732 # only ever accessed by init.
733 allow init device:file create_file_perms;
736 allow init input_device:dir r_dir_perms;
737 allow init input_device:chr_file rw_file_perms;
739 # Access device mapper for setting up dm-verity
740 allow init dm_device:chr_file rw_file_perms;
741 allow init dm_device:blk_file rw_file_perms;
743 # Access dm-user for OTA boot
744 allow init dm_user_device:chr_file rw_file_perms;
746 # Access metadata block device for storing dm-verity state
747 allow init metadata_block_device:blk_file rw_file_perms;
749 # Read /sys/fs/pstore/console-ramoops to detect restarts caused
750 # by dm-verity detecting corrupted blocks
751 allow init pstorefs:dir search;
752 allow init pstorefs:file r_file_perms;
753 allow init kernel:system syslog_read;
756 allow init init:key { write search setattr };
758 # Allow init to create /data/unencrypted
759 allow init unencrypted_data_file:dir create_dir_perms;
762 allowxperm init { data_file_type unlabeled }:dir ioctl {
768 allow init misc_block_device:blk_file w_file_perms;
770 r_dir_file(init, system_file)
771 r_dir_file(init, system_dlkm_file_type)
772 r_dir_file(init, vendor_file_type)
774 allow init system_data_file:file { getattr read };
775 allow init system_data_file:lnk_file r_file_perms;
777 # For init to be able to run shell scripts from vendor
778 allow init vendor_shell_exec:file execute;
781 allow init vold_metadata_file:dir create_dir_perms;
782 allow init vold_metadata_file:file getattr;
783 allow init metadata_bootstat_file:dir create_dir_perms;
784 allow init metadata_bootstat_file:file w_file_perms;
785 allow init userspace_reboot_metadata_file:file w_file_perms;
787 # Allow init to touch PSI monitors
788 allow init proc_pressure_mem:file { rw_file_perms setattr };
790 # init is using bootstrap bionic
791 use_bootstrap_libs(init)
794 allow init fuse:dir { search getattr };
797 allow init userdata_sysdev:file create_file_perms;
800 allow init rootdisk_sysdev:file create_file_perms;
806 # The init domain is only entered via an exec based transition from the
808 neverallow domain init:process dyntransition;
809 neverallow { domain -kernel } init:process transition;
810 neverallow init { file_type fs_type -init_exec }:file entrypoint;
813 neverallow init shell_data_file:lnk_file read;
814 neverallow init app_data_file_type:lnk_file read;
816 # init should never execute a program without changing to another domain.
817 neverallow init { file_type fs_type }:file execute_no_trans;
820 # when init is executing other binaries. The use of LD_PRELOAD for init spawned
821 # services is generally considered a no-no, as it injects libraries which the
826 neverallow init *:process noatsecure;
828 # init can never add binder services
829 neverallow init service_manager_type:service_manager { add find };
830 # init can never list binder services
831 neverallow init servicemanager:service_manager list;
833 # Init should not be creating subdirectories in /data/local/tmp
834 neverallow init shell_data_file:dir { write add_name remove_name };
836 # Init should not access sysfs node that are not explicitly labeled.
837 neverallow init sysfs:file { open write };
839 # No domain should be allowed to ptrace init.
840 neverallow * init:process ptrace;
842 # init owns the root of /data
845 neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name …
847 # Only init is allowed to set userspace reboot related properties.
848 neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
850 neverallow init self:perf_event { kernel tracepoint read write };
851 dontaudit init self:perf_event { kernel tracepoint read write };
853 # Only init is allowed to set the sysprop indicating whether perf_event_open()
855 neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
857 # Only init can write vts.native_server.on
858 neverallow { domain -init } vts_status_prop:property_service set;
860 # Only init can write normal ro.boot. properties
861 neverallow { domain -init } bootloader_prop:property_service set;
863 # Only init can write hal.instrumentation.enable
864 neverallow { domain -init } hal_instrumentation_prop:property_service set;
866 # Only init can write ro.property_service.version
867 neverallow { domain -init } property_service_version_prop:property_service set;
869 # Only init can set keystore.boot_level
870 neverallow { domain -init } keystore_listen_prop:property_service set;