1typeattribute init coredomain; 2 3tmpfs_domain(init) 4 5# Transitions to seclabel processes in init.rc 6domain_trans(init, rootfs, slideshow) 7domain_auto_trans(init, charger_exec, charger) 8domain_auto_trans(init, e2fs_exec, e2fs) 9domain_auto_trans(init, bpfloader_exec, bpfloader) 10 11recovery_only(` 12 # Files in recovery image are labeled as rootfs. 13 domain_trans(init, rootfs, adbd) 14 domain_trans(init, rootfs, hal_bootctl_server) 15 domain_trans(init, rootfs, charger) 16 domain_trans(init, rootfs, fastbootd) 17 domain_trans(init, rootfs, hal_fastboot_server) 18 domain_trans(init, rootfs, hal_health_server) 19 domain_trans(init, rootfs, recovery) 20 domain_trans(init, rootfs, linkerconfig) 21 domain_trans(init, rootfs, servicemanager) 22 domain_trans(init, rootfs, snapuserd) 23') 24domain_trans(init, shell_exec, shell) 25domain_trans(init, init_exec, ueventd) 26domain_trans(init, init_exec, vendor_init) 27domain_trans(init, { rootfs toolbox_exec }, modprobe) 28userdebug_or_eng(` 29 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 30 domain_auto_trans(init, logcat_exec, logpersist) 31 32 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 33 allow init su:process transition; 34 dontaudit init su:process noatsecure; 35 allow init su:process { siginh rlimitinh }; 36') 37 38# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 39# This is useful in case of remounting ext4 userdata into checkpointing mode, 40# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 41# that userdata is mounted onto. 42allow init sysfs_dm:file read; 43 44# Allow init to modify the properties of loop devices. 45allow init sysfs_loop:dir r_dir_perms; 46allow init sysfs_loop:file rw_file_perms; 47 48# Allow init to examine the properties of block devices. 49allow init sysfs_type:file { getattr read }; 50# Allow init get the attributes of block devices in /dev/block. 51allow init dev_type:dir r_dir_perms; 52allow init dev_type:blk_file getattr; 53 54# Allow init to write to the drop_caches file. 55allow init proc_drop_caches:file rw_file_perms; 56 57# Allow the BoringSSL self test to request a reboot upon failure 58set_prop(init, powerctl_prop) 59 60# Only init is allowed to set userspace reboot related properties. 61set_prop(init, userspace_reboot_exported_prop) 62neverallow { domain -init } userspace_reboot_exported_prop:property_service set; 63 64# Second-stage init performs a test for whether the kernel has SELinux hooks 65# for the perf_event_open() syscall. This is done by testing for the syscall 66# outcomes corresponding to this policy. 67# TODO(b/137092007): this can be removed once the platform stops supporting 68# kernels that precede the perf_event_open hooks (Android common kernels 4.4 69# and 4.9). 70allow init self:perf_event { open cpu }; 71allow init self:global_capability2_class_set perfmon; 72neverallow init self:perf_event { kernel tracepoint read write }; 73dontaudit init self:perf_event { kernel tracepoint read write }; 74 75# Allow init to communicate with snapuserd to transition Virtual A/B devices 76# from the first-stage daemon to the second-stage. 77allow init snapuserd_socket:sock_file write; 78allow init snapuserd:unix_stream_socket connectto; 79# Allow for libsnapshot's use of flock() on /metadata/ota. 80allow init ota_metadata_file:dir lock; 81 82# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 83# /dev/block. 84allow init vd_device:blk_file relabelto; 85 86# Only init is allowed to set the sysprop indicating whether perf_event_open() 87# SELinux hooks were detected. 88set_prop(init, init_perf_lsm_hooks_prop) 89neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 90 91# Only init can write vts.native_server.on 92set_prop(init, vts_status_prop) 93neverallow { domain -init } vts_status_prop:property_service set; 94 95# Only init can write normal ro.boot. properties 96neverallow { domain -init } bootloader_prop:property_service set; 97 98# Only init can write hal.instrumentation.enable 99neverallow { domain -init } hal_instrumentation_prop:property_service set; 100 101# Only init can write ro.property_service.version 102neverallow { domain -init } property_service_version_prop:property_service set; 103 104# Only init can set keystore.boot_level 105neverallow { domain -init } keystore_listen_prop:property_service set; 106 107# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 108allow init debugfs_bootreceiver_tracing:file w_file_perms; 109 110# PRNG seeder daemon socket is created and listened on by init before forking. 111allow init prng_seeder:unix_stream_socket { create bind listen }; 112 113# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will 114# attempt to write a non exisiting 'synthetic_events' file, when setting 115# up synthetic events. This is a no-op in tracefs. 116dontaudit init debugfs_tracing_debug:dir { write add_name }; 117 118# chown/chmod on devices. 119allow init { 120 dev_type 121 -hw_random_device 122 -keychord_device 123 -vm_manager_device_type 124 -port_device 125}:chr_file setattr; 126