1*e4a36f41SAndroid Build Coastguard Workertypeattribute init coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(init) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Transitions to seclabel processes in init.rc 6*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, rootfs, healthd) 7*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, rootfs, slideshow) 8*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(init, charger_exec, charger) 9*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(init, e2fs_exec, e2fs) 10*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(init, bpfloader_exec, bpfloader) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Workerrecovery_only(` 13*e4a36f41SAndroid Build Coastguard Worker # Files in recovery image are labeled as rootfs. 14*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, adbd) 15*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, charger) 16*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, fastbootd) 17*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, recovery) 18*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, linkerconfig) 19*e4a36f41SAndroid Build Coastguard Worker domain_trans(init, rootfs, snapuserd) 20*e4a36f41SAndroid Build Coastguard Worker') 21*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, shell_exec, shell) 22*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, init_exec, ueventd) 23*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, init_exec, vendor_init) 24*e4a36f41SAndroid Build Coastguard Workerdomain_trans(init, { rootfs toolbox_exec }, modprobe) 25*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 26*e4a36f41SAndroid Build Coastguard Worker # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 27*e4a36f41SAndroid Build Coastguard Worker domain_auto_trans(init, logcat_exec, logpersist) 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 30*e4a36f41SAndroid Build Coastguard Worker allow init su:process transition; 31*e4a36f41SAndroid Build Coastguard Worker dontaudit init su:process noatsecure; 32*e4a36f41SAndroid Build Coastguard Worker allow init su:process { siginh rlimitinh }; 33*e4a36f41SAndroid Build Coastguard Worker') 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 36*e4a36f41SAndroid Build Coastguard Worker# This is useful in case of remounting ext4 userdata into checkpointing mode, 37*e4a36f41SAndroid Build Coastguard Worker# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 38*e4a36f41SAndroid Build Coastguard Worker# that userdata is mounted onto. 39*e4a36f41SAndroid Build Coastguard Workerallow init sysfs_dm:file read; 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# Allow init to modify the properties of loop devices. 42*e4a36f41SAndroid Build Coastguard Workerallow init sysfs_loop:dir r_dir_perms; 43*e4a36f41SAndroid Build Coastguard Workerallow init sysfs_loop:file rw_file_perms; 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker# Allow init to examine the properties of block devices. 46*e4a36f41SAndroid Build Coastguard Workerallow init sysfs_block_type:file { getattr read }; 47*e4a36f41SAndroid Build Coastguard Worker# Allow init access /dev/block 48*e4a36f41SAndroid Build Coastguard Workerallow init bdev_type:dir r_dir_perms; 49*e4a36f41SAndroid Build Coastguard Workerallow init bdev_type:blk_file getattr; 50*e4a36f41SAndroid Build Coastguard Worker 51*e4a36f41SAndroid Build Coastguard Worker# Allow init to write to the drop_caches file. 52*e4a36f41SAndroid Build Coastguard Workerallow init proc_drop_caches:file rw_file_perms; 53*e4a36f41SAndroid Build Coastguard Worker 54*e4a36f41SAndroid Build Coastguard Worker# Allow the BoringSSL self test to request a reboot upon failure 55*e4a36f41SAndroid Build Coastguard Workerset_prop(init, powerctl_prop) 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker# Only init is allowed to set userspace reboot related properties. 58*e4a36f41SAndroid Build Coastguard Workerset_prop(init, userspace_reboot_exported_prop) 59*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } userspace_reboot_exported_prop:property_service set; 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# Second-stage init performs a test for whether the kernel has SELinux hooks 62*e4a36f41SAndroid Build Coastguard Worker# for the perf_event_open() syscall. This is done by testing for the syscall 63*e4a36f41SAndroid Build Coastguard Worker# outcomes corresponding to this policy. 64*e4a36f41SAndroid Build Coastguard Worker# TODO(b/137092007): this can be removed once the platform stops supporting 65*e4a36f41SAndroid Build Coastguard Worker# kernels that precede the perf_event_open hooks (Android common kernels 4.4 66*e4a36f41SAndroid Build Coastguard Worker# and 4.9). 67*e4a36f41SAndroid Build Coastguard Workerallow init self:perf_event { open cpu }; 68*e4a36f41SAndroid Build Coastguard Workerallow init self:global_capability2_class_set perfmon; 69*e4a36f41SAndroid Build Coastguard Workerneverallow init self:perf_event { kernel tracepoint read write }; 70*e4a36f41SAndroid Build Coastguard Workerdontaudit init self:perf_event { kernel tracepoint read write }; 71*e4a36f41SAndroid Build Coastguard Worker 72*e4a36f41SAndroid Build Coastguard Worker# Allow init to communicate with snapuserd to transition Virtual A/B devices 73*e4a36f41SAndroid Build Coastguard Worker# from the first-stage daemon to the second-stage. 74*e4a36f41SAndroid Build Coastguard Workerallow init snapuserd_socket:sock_file write; 75*e4a36f41SAndroid Build Coastguard Workerallow init snapuserd:unix_stream_socket connectto; 76*e4a36f41SAndroid Build Coastguard Worker# Allow for libsnapshot's use of flock() on /metadata/ota. 77*e4a36f41SAndroid Build Coastguard Workerallow init ota_metadata_file:dir lock; 78*e4a36f41SAndroid Build Coastguard Worker 79*e4a36f41SAndroid Build Coastguard Worker# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 80*e4a36f41SAndroid Build Coastguard Worker# /dev/block. 81*e4a36f41SAndroid Build Coastguard Workerallow init vd_device:blk_file relabelto; 82*e4a36f41SAndroid Build Coastguard Worker 83*e4a36f41SAndroid Build Coastguard Worker# Only init is allowed to set the sysprop indicating whether perf_event_open() 84*e4a36f41SAndroid Build Coastguard Worker# SELinux hooks were detected. 85*e4a36f41SAndroid Build Coastguard Workerset_prop(init, init_perf_lsm_hooks_prop) 86*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 87*e4a36f41SAndroid Build Coastguard Worker 88*e4a36f41SAndroid Build Coastguard Worker# Only init can write vts.native_server.on 89*e4a36f41SAndroid Build Coastguard Workerset_prop(init, vts_status_prop) 90*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } vts_status_prop:property_service set; 91*e4a36f41SAndroid Build Coastguard Worker 92*e4a36f41SAndroid Build Coastguard Worker# Only init can write normal ro.boot. properties 93*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } bootloader_prop:property_service set; 94*e4a36f41SAndroid Build Coastguard Worker 95*e4a36f41SAndroid Build Coastguard Worker# Only init can write hal.instrumentation.enable 96*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } hal_instrumentation_prop:property_service set; 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# Only init can write ro.property_service.version 99*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } property_service_version_prop:property_service set; 100*e4a36f41SAndroid Build Coastguard Worker 101*e4a36f41SAndroid Build Coastguard Worker# Only init can set keystore.boot_level 102*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } keystore_listen_prop:property_service set; 103*e4a36f41SAndroid Build Coastguard Worker 104*e4a36f41SAndroid Build Coastguard Worker# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 105*e4a36f41SAndroid Build Coastguard Workerallow init debugfs_bootreceiver_tracing:file w_file_perms; 106*e4a36f41SAndroid Build Coastguard Worker 107*e4a36f41SAndroid Build Coastguard Worker# chown/chmod on devices. 108*e4a36f41SAndroid Build Coastguard Workerallow init { 109*e4a36f41SAndroid Build Coastguard Worker dev_type 110*e4a36f41SAndroid Build Coastguard Worker -hw_random_device 111*e4a36f41SAndroid Build Coastguard Worker -keychord_device 112*e4a36f41SAndroid Build Coastguard Worker -kvm_device 113*e4a36f41SAndroid Build Coastguard Worker -port_device 114*e4a36f41SAndroid Build Coastguard Worker}:chr_file setattr; 115