xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/public/init.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { open write relabelto };
18')
19
20# allow init to mount and unmount debugfs in debug builds
21userdebug_or_eng(`
22  allow init debugfs:dir mounton;
23')
24
25# /dev/__properties__
26allow init properties_device:dir relabelto;
27allow init properties_serial:file { write relabelto };
28allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
29# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
30allow init properties_device:file create_file_perms;
31allow init property_info:file relabelto;
32# /dev/event-log-tags
33allow init device:file relabelfrom;
34allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
35# /dev/socket
36allow init { device socket_device dm_user_device }:dir relabelto;
37# allow init to establish connection and communicate with lmkd
38unix_socket_connect(init, lmkd, lmkd)
39# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
40# and /dev/urandom
41allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
42# /dev/device-mapper, /dev/block(/.*)?
43allow init tmpfs:{ chr_file blk_file } relabelfrom;
44allow init tmpfs:blk_file getattr;
45allow init block_device:{ dir blk_file lnk_file } relabelto;
46allow init dm_device:{ chr_file blk_file } relabelto;
47allow init dm_user_device:chr_file relabelto;
48allow init kernel:fd use;
49# restorecon for early mount device symlinks
50allow init tmpfs:lnk_file { getattr read relabelfrom };
51allow init {
52  metadata_block_device
53  misc_block_device
54  recovery_block_device
55  system_block_device
56  userdata_block_device
57}:{ blk_file lnk_file } relabelto;
58
59allow init dtbo_block_device:lnk_file relabelto;
60allow init super_block_device:lnk_file relabelto;
61
62# Create /mnt/sdcard -> /storage/self/primary symlink.
63allow init mnt_sdcard_file:lnk_file create;
64
65# setrlimit
66allow init self:global_capability_class_set sys_resource;
67
68# Remove /dev/.booting and load /debug_ramdisk/* files
69allow init tmpfs:file { getattr unlink };
70
71# Access pty created for fsck.
72allow init devpts:chr_file { read write open };
73
74# Create /dev/fscklogs files.
75allow init fscklogs:file create_file_perms;
76
77# Access /dev/__null__ node created prior to initial policy load.
78allow init tmpfs:chr_file write;
79
80# Access /dev/console.
81allow init console_device:chr_file rw_file_perms;
82
83# Access /dev/tty0.
84allow init tty_device:chr_file rw_file_perms;
85
86# Call mount(2).
87allow init self:global_capability_class_set sys_admin;
88
89# Call setns(2).
90allow init self:global_capability_class_set sys_chroot;
91
92# Create and mount on directories in /.
93allow init rootfs:dir create_dir_perms;
94allow init {
95    rootfs
96    cache_file
97    cgroup
98    linkerconfig_file
99    storage_file
100    mnt_user_file
101    system_data_file
102    system_data_root_file
103    system_dlkm_file
104    system_file
105    vendor_file
106    postinstall_mnt_dir
107    mirror_data_file
108    shell_data_file
109}:dir mounton;
110
111# Mount bpf fs on sys/fs/bpf
112allow init fs_bpf:dir mounton;
113
114# Mount on /dev/usb-ffs/adb.
115allow init device:dir mounton;
116
117# Mount tmpfs on /apex
118allow init apex_mnt_dir:dir mounton;
119
120# Bind-mount on /system/apex/com.android.art
121allow init art_apex_dir:dir mounton;
122
123# Create and remove symlinks in /.
124allow init rootfs:lnk_file { create unlink };
125
126# Mount debugfs on /sys/kernel/debug.
127allow init sysfs:dir mounton;
128
129# Create cgroups mount points in tmpfs and mount cgroups on them.
130allow init tmpfs:dir create_dir_perms;
131allow init tmpfs:dir mounton;
132allow init cgroup:dir create_dir_perms;
133allow init cgroup:file rw_file_perms;
134allow init cgroup_rc_file:file rw_file_perms;
135allow init cgroup_desc_file:file r_file_perms;
136allow init cgroup_desc_api_file:file r_file_perms;
137allow init vendor_cgroup_desc_file:file r_file_perms;
138allow init cgroup_v2:dir { mounton create_dir_perms};
139allow init cgroup_v2:file rw_file_perms;
140
141# /config
142allow init configfs:dir mounton;
143allow init configfs:dir create_dir_perms;
144allow init configfs:{ file lnk_file } create_file_perms;
145
146# /metadata
147allow init metadata_file:dir mounton;
148
149# Run restorecon on /dev
150allow init tmpfs:dir relabelfrom;
151
152# Create directories under /dev/cpuctl after chowning it to system.
153allow init self:global_capability_class_set { dac_override dac_read_search };
154
155# Set system clock.
156allow init self:global_capability_class_set sys_time;
157
158allow init self:global_capability_class_set { sys_rawio mknod };
159
160# Mounting filesystems from block devices.
161allow init dev_type:blk_file r_file_perms;
162allowxperm init dev_type:blk_file ioctl BLKROSET;
163allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
164
165# Mounting filesystems.
166# Only allow relabelto for types used in context= mount options,
167# which should all be assigned the contextmount_type attribute.
168# This can be done in device-specific policy via type or typeattribute
169# declarations.
170allow init {
171  fs_type
172  enforce_debugfs_restriction(`-debugfs_type')
173}:filesystem ~relabelto;
174
175# Allow init to mount/unmount debugfs in non-user builds.
176enforce_debugfs_restriction(`
177  userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
178')
179
180# Allow init to mount tracefs in /sys/kernel/tracing
181allow init debugfs_tracing_debug:filesystem mount;
182
183allow init unlabeled:filesystem ~relabelto;
184allow init contextmount_type:filesystem relabelto;
185
186# Allow read-only access to context= mounted filesystems.
187allow init contextmount_type:dir r_dir_perms;
188allow init contextmount_type:notdevfile_class_set r_file_perms;
189
190# restorecon /adb_keys or any other rootfs files and directories to a more
191# specific type.
192allow init rootfs:{ dir file } relabelfrom;
193
194# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
195# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
196# system/core/init.rc requires at least cache_file and data_file_type.
197# init.<board>.rc files often include device-specific types, so
198# we just allow all file types except /system files here.
199allow init self:global_capability_class_set { chown fowner fsetid };
200
201allow init {
202  file_type
203  -app_data_file
204  -bpffs_type
205  -exec_type
206  -misc_logd_file
207  -nativetest_data_file
208  -privapp_data_file
209  -system_app_data_file
210  -system_dlkm_file_type
211  -system_file_type
212  -vendor_file_type
213}:dir { create search getattr open read setattr ioctl };
214
215allow init {
216  file_type
217  -app_data_file
218  -bpffs_type
219  -credstore_data_file
220  -exec_type
221  -keystore_data_file
222  -media_userdir_file
223  -misc_logd_file
224  -nativetest_data_file
225  -privapp_data_file
226  -shell_data_file
227  -system_app_data_file
228  -system_dlkm_file_type
229  -system_file_type
230  -system_userdir_file
231  -vendor_file_type
232  -vendor_userdir_file
233  -vold_data_file
234}:dir { write add_name remove_name rmdir relabelfrom };
235
236allow init {
237  file_type
238  -apex_info_file
239  -app_data_file
240  -bpffs_type
241  -exec_type
242  -gsi_data_file
243  -credstore_data_file
244  -keystore_data_file
245  -misc_logd_file
246  -nativetest_data_file
247  -privapp_data_file
248  -runtime_event_log_tags_file
249  -shell_data_file
250  -system_app_data_file
251  -system_dlkm_file_type
252  -system_file_type
253  -vendor_file_type
254  -vold_data_file
255  enforce_debugfs_restriction(`-debugfs_type')
256}:file { create getattr open read write setattr relabelfrom unlink map };
257
258allow init tracefs_type:file { create_file_perms relabelfrom };
259
260# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
261# subcontext for action/service defined in APEXes.
262allow init apex_info_file:file r_file_perms;
263
264allow init {
265  file_type
266  -app_data_file
267  -bpffs_type
268  -exec_type
269  -gsi_data_file
270  -credstore_data_file
271  -keystore_data_file
272  -misc_logd_file
273  -nativetest_data_file
274  -privapp_data_file
275  -shell_data_file
276  -system_app_data_file
277  -system_dlkm_file_type
278  -system_file_type
279  -vendor_file_type
280  -vold_data_file
281}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
282
283allow init {
284  file_type
285  -apex_mnt_dir
286  -app_data_file
287  -bpffs_type
288  -exec_type
289  -gsi_data_file
290  -credstore_data_file
291  -keystore_data_file
292  -misc_logd_file
293  -nativetest_data_file
294  -privapp_data_file
295  -shell_data_file
296  -system_app_data_file
297  -system_dlkm_file_type
298  -system_file_type
299  -vendor_file_type
300  -vold_data_file
301}:lnk_file { create getattr setattr relabelfrom unlink };
302
303allow init cache_file:lnk_file r_file_perms;
304
305allow init {
306  file_type
307  -bpffs_type
308  -system_dlkm_file_type
309  -system_file_type
310  -vendor_file_type
311  -exec_type
312  -app_data_file
313  -privapp_data_file
314}:dir_file_class_set relabelto;
315
316allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
317allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
318allow init dev_type:dir create_dir_perms;
319allow init dev_type:lnk_file create;
320
321# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
322allow init debugfs_tracing:file w_file_perms;
323
324# Setup and control wifi event tracing (see wifi-events.rc)
325allow init debugfs_tracing_instances:dir create_dir_perms;
326allow init debugfs_tracing_instances:file w_file_perms;
327allow init debugfs_wifi_tracing:file w_file_perms;
328
329# chown/chmod on pseudo files.
330allow init {
331  fs_type
332  -bpffs_type
333  -contextmount_type
334  -keychord_device
335  -proc_type
336  -sdcard_type
337  -fusefs_type
338  -sysfs_type
339  -rootfs
340  enforce_debugfs_restriction(`-debugfs_type')
341}:file { open read setattr };
342allow init {
343  fs_type
344  -bpffs_type
345  -contextmount_type
346  -sdcard_type
347  -fusefs_type
348  -rootfs
349}:dir { open read setattr search };
350
351allow init {
352  binder_device
353  console_device
354  devpts
355  dm_device
356  hwbinder_device
357  input_device
358  kmsg_device
359  null_device
360  owntty_device
361  pmsg_device
362  ptmx_device
363  random_device
364  tty_device
365  zero_device
366}:chr_file { read open };
367
368# Unlabeled file access for upgrades from 4.2.
369allow init unlabeled:dir { create_dir_perms relabelfrom };
370allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
371
372# Any operation that can modify the kernel ring buffer, e.g. clear
373# or a read that consumes the messages that were read.
374allow init kernel:system syslog_mod;
375allow init self:global_capability2_class_set syslog;
376
377# init access to /proc.
378r_dir_file(init, proc_net_type)
379allow init proc_filesystems:file r_file_perms;
380
381userdebug_or_eng(`
382  # Overlayfs workdir write access check during mount to permit remount,rw
383  allow init overlayfs_file:dir { relabelfrom mounton write };
384  allow init overlayfs_file:file { append rename };
385  allow init overlayfs_file:chr_file unlink;
386  allow init system_block_device:blk_file { write };
387')
388
389allow init {
390  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
391  proc_bootconfig
392  proc_cmdline
393  proc_diskstats
394  proc_kmsg # Open /proc/kmsg for logd service.
395  proc_meminfo
396  proc_stat # Read /proc/stat for bootchart.
397  proc_uptime
398  proc_version
399}:file r_file_perms;
400
401allow init {
402  proc_abi
403  proc_cpu_alignment
404  proc_dirty
405  proc_hostname
406  proc_hung_task
407  proc_extra_free_kbytes
408  proc_net_type
409  proc_max_map_count
410  proc_min_free_order_shift
411  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
412  proc_panic
413  proc_page_cluster
414  proc_perf
415  proc_sched
416  proc_sysrq
417  proc_watermark_boost_factor
418}:file w_file_perms;
419
420allow init {
421  proc_security
422}:file rw_file_perms;
423
424# init chmod/chown access to /proc files.
425allow init {
426  proc_cmdline
427  proc_bootconfig
428  proc_kmsg
429  proc_net
430  proc_pagetypeinfo
431  proc_qtaguid_stat
432  proc_slabinfo
433  proc_sysrq
434  proc_qtaguid_ctrl
435  proc_vmallocinfo
436}:file setattr;
437
438# init access to /sys files.
439allow init {
440  sysfs_android_usb
441  sysfs_dm_verity
442  sysfs_leds
443  sysfs_power
444  sysfs_fs_f2fs
445  sysfs_dm
446  sysfs_lru_gen_enabled
447}:file w_file_perms;
448
449allow init {
450  sysfs_dt_firmware_android
451  sysfs_fs_ext4_features
452}:file r_file_perms;
453
454allow init {
455  sysfs_zram
456}:file rw_file_perms;
457
458# allow init to create loop devices with /dev/loop-control
459allow init loop_control_device:chr_file rw_file_perms;
460allow init loop_device:blk_file rw_file_perms;
461allowxperm init loop_device:blk_file ioctl {
462  LOOP_SET_FD
463  LOOP_CLR_FD
464  LOOP_CTL_GET_FREE
465  LOOP_SET_BLOCK_SIZE
466  LOOP_SET_DIRECT_IO
467  LOOP_GET_STATUS
468  LOOP_SET_STATUS64
469};
470
471# Allow init to write to vibrator/trigger
472allow init sysfs_vibrator:file w_file_perms;
473
474# init chmod/chown access to /sys files.
475allow init {
476  sysfs_android_usb
477  sysfs_devices_system_cpu
478  sysfs_ipv4
479  sysfs_leds
480  sysfs_lowmemorykiller
481  sysfs_power
482  sysfs_vibrator
483  sysfs_wake_lock
484  sysfs_zram
485}:file setattr;
486
487# Set usermodehelpers.
488allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
489
490allow init self:global_capability_class_set net_admin;
491
492# Reboot.
493allow init self:global_capability_class_set sys_boot;
494
495# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
496# Init will also walk through the directory as part of a recursive restorecon.
497allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
498allow init misc_logd_file:file { open create getattr setattr write };
499
500# Support "adb shell stop"
501allow init self:global_capability_class_set kill;
502allow init domain:process { getpgid sigkill signal };
503
504# Init creates credstore's directory on boot, and walks through
505# the directory as part of a recursive restorecon.
506allow init credstore_data_file:dir { open create read getattr setattr search };
507allow init credstore_data_file:file { getattr };
508
509# Init creates keystore's directory on boot, and walks through
510# the directory as part of a recursive restorecon.
511allow init keystore_data_file:dir { open create read getattr setattr search };
512allow init keystore_data_file:file { getattr };
513
514# Init creates vold's directory on boot, and walks through
515# the directory as part of a recursive restorecon.
516allow init vold_data_file:dir { open create read getattr setattr search };
517allow init vold_data_file:file { getattr };
518
519# Init creates /data/local/tmp at boot
520allow init shell_data_file:dir { open create read getattr setattr search };
521allow init shell_data_file:file { getattr };
522
523# Set UID, GID, and adjust capability bounding set for services.
524allow init self:global_capability_class_set { setuid setgid setpcap };
525
526# For bootchart to read the /proc/$pid/cmdline file of each process,
527# we need to have following line to allow init to have access
528# to different domains.
529r_dir_file(init, domain)
530
531# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
532# setexec is for services with seclabel options.
533# setfscreate is for labeling directories and socket files.
534# setsockcreate is for labeling local/unix domain sockets.
535allow init self:process { setexec setfscreate setsockcreate };
536
537# Get file context
538allow init file_contexts_file:file r_file_perms;
539
540# sepolicy access
541allow init sepolicy_file:file r_file_perms;
542
543# Perform SELinux access checks on setting properties.
544selinux_check_access(init)
545
546# Ask the kernel for the new context on services to label their sockets.
547allow init kernel:security compute_create;
548
549# Create sockets for the services.
550allow init domain:unix_stream_socket { create bind setopt };
551allow init domain:unix_dgram_socket { create bind setopt };
552
553# Create /data/property and files within it.
554allow init property_data_file:dir create_dir_perms;
555allow init property_data_file:file create_file_perms;
556
557# Set any property.
558allow init property_type:property_service set;
559
560# Send an SELinux userspace denial to the kernel audit subsystem,
561# so it can be picked up and processed by logd. These denials are
562# generated when an attempt to set a property is denied by policy.
563allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
564allow init self:global_capability_class_set audit_write;
565
566# Run "ifup lo" to bring up the localhost interface
567allow init self:udp_socket { create ioctl };
568# in addition to unpriv ioctls granted to all domains, init also needs:
569allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
570allow init self:global_capability_class_set net_raw;
571
572# Set scheduling info for psi monitor thread.
573# TODO: delete or revise this line b/131761776
574allow init kernel:process { getsched setsched };
575
576# swapon() needs write access to swap device
577# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
578allow init swap_block_device:blk_file rw_file_perms;
579
580# Create and access /dev files without a specific type,
581# e.g. /dev/.coldboot_done, /dev/.booting
582# TODO:  Move these files into their own type unless they are
583# only ever accessed by init.
584allow init device:file create_file_perms;
585
586# keychord retrieval from /dev/input/ devices
587allow init input_device:dir r_dir_perms;
588allow init input_device:chr_file rw_file_perms;
589
590# Access device mapper for setting up dm-verity
591allow init dm_device:chr_file rw_file_perms;
592allow init dm_device:blk_file rw_file_perms;
593
594# Access dm-user for OTA boot
595allow init dm_user_device:chr_file rw_file_perms;
596
597# Access metadata block device for storing dm-verity state
598allow init metadata_block_device:blk_file rw_file_perms;
599
600# Read /sys/fs/pstore/console-ramoops to detect restarts caused
601# by dm-verity detecting corrupted blocks
602allow init pstorefs:dir search;
603allow init pstorefs:file r_file_perms;
604allow init kernel:system syslog_read;
605
606# linux keyring configuration
607allow init init:key { write search setattr };
608
609# Allow init to create /data/unencrypted
610allow init unencrypted_data_file:dir create_dir_perms;
611
612# Set encryption policy on dirs in /data
613allowxperm init { data_file_type unlabeled }:dir ioctl {
614  FS_IOC_GET_ENCRYPTION_POLICY
615  FS_IOC_SET_ENCRYPTION_POLICY
616};
617
618# Raw writes to misc block device
619allow init misc_block_device:blk_file w_file_perms;
620
621r_dir_file(init, system_file)
622r_dir_file(init, system_dlkm_file_type)
623r_dir_file(init, vendor_file_type)
624
625allow init system_data_file:file { getattr read };
626allow init system_data_file:lnk_file r_file_perms;
627
628# For init to be able to run shell scripts from vendor
629allow init vendor_shell_exec:file execute;
630
631# Metadata setup
632allow init vold_metadata_file:dir create_dir_perms;
633allow init vold_metadata_file:file getattr;
634allow init metadata_bootstat_file:dir create_dir_perms;
635allow init metadata_bootstat_file:file w_file_perms;
636allow init userspace_reboot_metadata_file:file w_file_perms;
637
638# Allow init to touch PSI monitors
639allow init proc_pressure_mem:file { rw_file_perms setattr };
640
641# init is using bootstrap bionic
642use_bootstrap_libs(init)
643
644# stat the root dir of fuse filesystems (for the mount handler)
645allow init fuse:dir { search getattr };
646
647# allow filesystem tuning
648allow init userdata_sysdev:file create_file_perms;
649
650# allow disk tuning
651allow init rootdisk_sysdev:file create_file_perms;
652
653###
654### neverallow rules
655###
656
657# The init domain is only entered via an exec based transition from the
658# kernel domain, never via setcon().
659neverallow domain init:process dyntransition;
660neverallow { domain -kernel } init:process transition;
661neverallow init { file_type fs_type -init_exec }:file entrypoint;
662
663# Never read/follow symlinks created by shell or untrusted apps.
664neverallow init shell_data_file:lnk_file read;
665neverallow init app_data_file_type:lnk_file read;
666
667# init should never execute a program without changing to another domain.
668neverallow init { file_type fs_type }:file execute_no_trans;
669
670# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
671# when init is executing other binaries. The use of LD_PRELOAD for init spawned
672# services is generally considered a no-no, as it injects libraries which the
673# binary was not expecting. This is especially problematic for APEXes. The use
674# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
675# code into a process which wasn't expecting that code, with potentially
676# unexpected side effects. (b/140789528)
677neverallow init *:process noatsecure;
678
679# init can never add binder services
680neverallow init service_manager_type:service_manager { add find };
681# init can never list binder services
682neverallow init servicemanager:service_manager list;
683
684# Init should not be creating subdirectories in /data/local/tmp
685neverallow init shell_data_file:dir { write add_name remove_name };
686
687# Init should not access sysfs node that are not explicitly labeled.
688neverallow init sysfs:file { open write };
689
690# No domain should be allowed to ptrace init.
691neverallow * init:process ptrace;
692
693# init owns the root of /data
694# TODO(b/140259336) We want to remove vendor_init
695# TODO(b/141108496) We want to remove toolbox
696neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
697