1typeattribute init coredomain; 2 3tmpfs_domain(init) 4 5# Transitions to seclabel processes in init.rc 6domain_trans(init, rootfs, slideshow) 7domain_auto_trans(init, charger_exec, charger) 8domain_auto_trans(init, e2fs_exec, e2fs) 9domain_auto_trans(init, bpfloader_exec, bpfloader) 10 11recovery_only(` 12 # Files in recovery image are labeled as rootfs. 13 domain_trans(init, rootfs, adbd) 14 domain_trans(init, rootfs, charger) 15 domain_trans(init, rootfs, fastbootd) 16 domain_trans(init, rootfs, hal_health_server) 17 domain_trans(init, rootfs, recovery) 18 domain_trans(init, rootfs, linkerconfig) 19 domain_trans(init, rootfs, servicemanager) 20 domain_trans(init, rootfs, snapuserd) 21') 22domain_trans(init, shell_exec, shell) 23domain_trans(init, init_exec, ueventd) 24domain_trans(init, init_exec, vendor_init) 25domain_trans(init, { rootfs toolbox_exec }, modprobe) 26userdebug_or_eng(` 27 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 28 domain_auto_trans(init, logcat_exec, logpersist) 29 30 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 31 allow init su:process transition; 32 dontaudit init su:process noatsecure; 33 allow init su:process { siginh rlimitinh }; 34') 35 36# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 37# This is useful in case of remounting ext4 userdata into checkpointing mode, 38# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 39# that userdata is mounted onto. 40allow init sysfs_dm:file read; 41 42# Allow init to modify the properties of loop devices. 43allow init sysfs_loop:dir r_dir_perms; 44allow init sysfs_loop:file rw_file_perms; 45 46# Allow init to examine the properties of block devices. 47allow init sysfs_type:file { getattr read }; 48# Allow init get the attributes of block devices in /dev/block. 49allow init dev_type:dir r_dir_perms; 50allow init dev_type:blk_file getattr; 51 52# Allow init to write to the drop_caches file. 53allow init proc_drop_caches:file rw_file_perms; 54 55# Allow the BoringSSL self test to request a reboot upon failure 56set_prop(init, powerctl_prop) 57 58# Only init is allowed to set userspace reboot related properties. 59set_prop(init, userspace_reboot_exported_prop) 60neverallow { domain -init } userspace_reboot_exported_prop:property_service set; 61 62# Second-stage init performs a test for whether the kernel has SELinux hooks 63# for the perf_event_open() syscall. This is done by testing for the syscall 64# outcomes corresponding to this policy. 65# TODO(b/137092007): this can be removed once the platform stops supporting 66# kernels that precede the perf_event_open hooks (Android common kernels 4.4 67# and 4.9). 68allow init self:perf_event { open cpu }; 69allow init self:global_capability2_class_set perfmon; 70neverallow init self:perf_event { kernel tracepoint read write }; 71dontaudit init self:perf_event { kernel tracepoint read write }; 72 73# Allow init to communicate with snapuserd to transition Virtual A/B devices 74# from the first-stage daemon to the second-stage. 75allow init snapuserd_socket:sock_file write; 76allow init snapuserd:unix_stream_socket connectto; 77# Allow for libsnapshot's use of flock() on /metadata/ota. 78allow init ota_metadata_file:dir lock; 79 80# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 81# /dev/block. 82allow init vd_device:blk_file relabelto; 83 84# Only init is allowed to set the sysprop indicating whether perf_event_open() 85# SELinux hooks were detected. 86set_prop(init, init_perf_lsm_hooks_prop) 87neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 88 89# Only init can write vts.native_server.on 90set_prop(init, vts_status_prop) 91neverallow { domain -init } vts_status_prop:property_service set; 92 93# Only init can write normal ro.boot. properties 94neverallow { domain -init } bootloader_prop:property_service set; 95 96# Only init can write ro.boot.hypervisor properties 97neverallow { domain -init } hypervisor_prop:property_service set; 98 99# Only init can write hal.instrumentation.enable 100neverallow { domain -init } hal_instrumentation_prop:property_service set; 101 102# Only init can write ro.property_service.version 103neverallow { domain -init } property_service_version_prop:property_service set; 104 105# Only init can set keystore.boot_level 106neverallow { domain -init } keystore_listen_prop:property_service set; 107 108# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 109allow init debugfs_bootreceiver_tracing:file w_file_perms; 110 111# PRNG seeder daemon socket is created and listened on by init before forking. 112allow init prng_seeder:unix_stream_socket { create bind listen }; 113 114# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will 115# attempt to write a non exisiting 'synthetic_events' file, when setting 116# up synthetic events. This is a no-op in tracefs. 117dontaudit init debugfs_tracing_debug:dir { write add_name }; 118 119# chown/chmod on devices. 120allow init { 121 dev_type 122 -hw_random_device 123 -keychord_device 124 -kvm_device 125 -port_device 126}:chr_file setattr; 127