1typeattribute init coredomain; 2 3tmpfs_domain(init) 4 5# Transitions to seclabel processes in init.rc 6domain_trans(init, rootfs, slideshow) 7domain_auto_trans(init, charger_exec, charger) 8domain_auto_trans(init, e2fs_exec, e2fs) 9domain_auto_trans(init, bpfloader_exec, bpfloader) 10 11recovery_only(` 12 # Files in recovery image are labeled as rootfs. 13 domain_trans(init, rootfs, adbd) 14 domain_trans(init, rootfs, hal_bootctl_server) 15 domain_trans(init, rootfs, charger) 16 domain_trans(init, rootfs, fastbootd) 17 domain_trans(init, rootfs, hal_fastboot_server) 18 domain_trans(init, rootfs, hal_health_server) 19 domain_trans(init, rootfs, recovery) 20 domain_trans(init, rootfs, linkerconfig) 21 domain_trans(init, rootfs, servicemanager) 22 domain_trans(init, rootfs, snapuserd) 23') 24domain_trans(init, shell_exec, shell) 25domain_trans(init, init_exec, ueventd) 26domain_trans(init, init_exec, vendor_init) 27domain_trans(init, { rootfs toolbox_exec }, modprobe) 28userdebug_or_eng(` 29 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 30 domain_auto_trans(init, logcat_exec, logpersist) 31 32 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 33 allow init su:process transition; 34 dontaudit init su:process noatsecure; 35 allow init su:process { siginh rlimitinh }; 36') 37 38# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 39# This is useful in case of remounting ext4 userdata into checkpointing mode, 40# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 41# that userdata is mounted onto. 42allow init sysfs_dm:file read; 43 44# Allow init to modify the properties of loop devices. 45allow init sysfs_loop:dir r_dir_perms; 46allow init sysfs_loop:file rw_file_perms; 47 48# Allow init to examine the properties of block devices. 49allow init sysfs_type:file { getattr read }; 50# Allow init get the attributes of block devices in /dev/block. 51allow init dev_type:dir r_dir_perms; 52allow init dev_type:blk_file getattr; 53 54# Allow init to write to the drop_caches file. 55allow init proc_drop_caches:file rw_file_perms; 56 57# Allow the BoringSSL self test to request a reboot upon failure 58set_prop(init, powerctl_prop) 59 60set_prop(init, userspace_reboot_exported_prop) 61 62# Second-stage init performs a test for whether the kernel has SELinux hooks 63# for the perf_event_open() syscall. This is done by testing for the syscall 64# outcomes corresponding to this policy. 65# TODO(b/137092007): this can be removed once the platform stops supporting 66# kernels that precede the perf_event_open hooks (Android common kernels 4.4 67# and 4.9). 68allow init self:perf_event { open cpu }; 69allow init self:global_capability2_class_set perfmon; 70 71# Allow init to communicate with snapuserd to transition Virtual A/B devices 72# from the first-stage daemon to the second-stage. 73allow init snapuserd_socket:sock_file write; 74allow init snapuserd:unix_stream_socket connectto; 75# Allow for libsnapshot's use of flock() on /metadata/ota. 76allow init ota_metadata_file:dir lock; 77 78# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 79# /dev/block. 80allow init vd_device:blk_file relabelto; 81 82set_prop(init, init_perf_lsm_hooks_prop) 83set_prop(init, vts_status_prop) 84 85# Allow init to set 16kb app compatibility props 86set_prop(init, bionic_linker_16kb_app_compat_prop) 87set_prop(init, pm_16kb_app_compat_prop) 88 89 90# Allow init to set/get prefetch boot prop to initiate record/replay 91set_prop(init, ctl_prefetch_prop); 92 93# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 94allow init debugfs_bootreceiver_tracing:file w_file_perms; 95 96# PRNG seeder daemon socket is created and listened on by init before forking. 97allow init prng_seeder:unix_stream_socket { create bind listen }; 98 99# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will 100# attempt to write a non exisiting 'synthetic_events' file, when setting 101# up synthetic events. This is a no-op in tracefs. 102dontaudit init debugfs_tracing_debug:dir { write add_name }; 103 104# chown/chmod on devices. 105allow init { 106 dev_type 107 -hw_random_device 108 -keychord_device 109 -vm_manager_device_type 110 -port_device 111}:chr_file setattr; 112 113# /dev/__null__ node created by init. 114allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; 115 116# 117# init direct restorecon calls. 118# 119# /dev/kmsg 120allow init tmpfs:chr_file relabelfrom; 121allow init kmsg_device:chr_file { getattr write relabelto }; 122# /dev/kmsg_debug 123userdebug_or_eng(` 124 allow init kmsg_debug_device:chr_file { open write relabelto }; 125') 126# /mnt/vm, also permissions to mkdir / mount / chmod / chown 127allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton }; 128 129# allow init to mount and unmount debugfs in debug builds 130userdebug_or_eng(` 131 allow init debugfs:dir mounton; 132') 133 134# /dev/__properties__ 135allow init properties_device:dir relabelto; 136allow init properties_serial:file { write relabelto }; 137allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; 138# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info 139allow init properties_device:file create_file_perms; 140allow init property_info:file relabelto; 141# /dev/event-log-tags 142allow init device:file relabelfrom; 143allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; 144# /dev/socket 145allow init { device socket_device dm_user_device }:dir relabelto; 146# allow init to establish connection and communicate with lmkd 147unix_socket_connect(init, lmkd, lmkd) 148# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random 149# and /dev/urandom 150allow init { console_device null_device ptmx_device random_device } : chr_file relabelto; 151# /dev/device-mapper, /dev/block(/.*)? 152allow init tmpfs:{ chr_file blk_file } relabelfrom; 153allow init tmpfs:blk_file getattr; 154allow init block_device:{ dir blk_file lnk_file } relabelto; 155allow init dm_device:{ chr_file blk_file } relabelto; 156allow init dm_user_device:chr_file relabelto; 157allow init kernel:fd use; 158# restorecon for early mount device symlinks 159allow init tmpfs:lnk_file { getattr read relabelfrom }; 160allow init { 161 metadata_block_device 162 misc_block_device 163 recovery_block_device 164 system_block_device 165 userdata_block_device 166}:{ blk_file lnk_file } relabelto; 167 168allow init dtbo_block_device:lnk_file relabelto; 169allow init super_block_device:lnk_file relabelto; 170 171# Create /mnt/sdcard -> /storage/self/primary symlink. 172allow init mnt_sdcard_file:lnk_file create; 173 174# setrlimit 175allow init self:global_capability_class_set sys_resource; 176 177# Remove /dev/.booting and load /debug_ramdisk/* files 178allow init tmpfs:file { getattr unlink }; 179 180# Access pty created for fsck. 181allow init devpts:chr_file { read write open }; 182 183# Create /dev/fscklogs files. 184allow init fscklogs:file create_file_perms; 185 186# Access /dev/__null__ node created prior to initial policy load. 187allow init tmpfs:chr_file write; 188 189# Access /dev/console. 190allow init console_device:chr_file rw_file_perms; 191 192# Access /dev/tty0. 193allow init tty_device:chr_file rw_file_perms; 194 195# Call mount(2). 196allow init self:global_capability_class_set sys_admin; 197 198# Call setns(2). 199allow init self:global_capability_class_set sys_chroot; 200 201# Create and mount on directories in /. 202allow init rootfs:dir create_dir_perms; 203allow init { 204 rootfs 205 cache_file 206 cgroup 207 linkerconfig_file 208 storage_file 209 mnt_user_file 210 system_data_file 211 system_data_root_file 212 system_dlkm_file 213 system_file 214 vendor_file 215 postinstall_mnt_dir 216 mirror_data_file 217 shell_data_file 218}:dir mounton; 219 220# Mount bpf fs on sys/fs/bpf 221allow init fs_bpf:dir mounton; 222 223# Mount on /dev/usb-ffs/adb. 224allow init device:dir mounton; 225 226# Mount tmpfs on /apex 227allow init apex_mnt_dir:dir mounton; 228 229# Bind-mount on /system/apex/com.android.art 230allow init art_apex_dir:dir mounton; 231 232# Create and remove symlinks in /. 233allow init rootfs:lnk_file { create unlink }; 234 235# Mount debugfs on /sys/kernel/debug. 236allow init sysfs:dir mounton; 237 238# Create cgroups mount points in tmpfs and mount cgroups on them. 239allow init tmpfs:dir create_dir_perms; 240allow init tmpfs:dir mounton; 241allow init cgroup:dir create_dir_perms; 242allow init cgroup:file rw_file_perms; 243allow init cgroup_rc_file:file rw_file_perms; 244allow init cgroup_desc_file:file r_file_perms; 245allow init vendor_cgroup_desc_file:file r_file_perms; 246allow init cgroup_v2:dir { mounton create_dir_perms}; 247allow init cgroup_v2:file rw_file_perms; 248 249# /config 250allow init configfs:dir mounton; 251allow init configfs:dir create_dir_perms; 252allow init configfs:{ file lnk_file } create_file_perms; 253 254# /metadata 255allow init metadata_file:dir mounton; 256 257# Run restorecon on /dev 258allow init tmpfs:dir relabelfrom; 259 260# Create directories under /dev/cpuctl after chowning it to system. 261allow init self:global_capability_class_set { dac_override dac_read_search }; 262 263# Set system clock. 264allow init self:global_capability_class_set sys_time; 265 266allow init self:global_capability_class_set { sys_rawio mknod }; 267 268# Mounting filesystems from block devices. 269allow init dev_type:blk_file r_file_perms; 270allowxperm init dev_type:blk_file ioctl BLKROSET; 271allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN; 272 273# Mounting filesystems. 274# Only allow relabelto for types used in context= mount options, 275# which should all be assigned the contextmount_type attribute. 276# This can be done in device-specific policy via type or typeattribute 277# declarations. 278allow init { 279 fs_type 280 enforce_debugfs_restriction(`-debugfs_type') 281}:filesystem ~relabelto; 282 283# Allow init to mount/unmount debugfs in non-user builds. 284enforce_debugfs_restriction(` 285 userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };') 286') 287 288# Allow init to mount tracefs in /sys/kernel/tracing 289allow init debugfs_tracing_debug:filesystem mount; 290 291allow init unlabeled:filesystem ~relabelto; 292allow init contextmount_type:filesystem relabelto; 293 294# Allow read-only access to context= mounted filesystems. 295allow init contextmount_type:dir r_dir_perms; 296allow init contextmount_type:notdevfile_class_set r_file_perms; 297 298# restorecon /adb_keys or any other rootfs files and directories to a more 299# specific type. 300allow init rootfs:{ dir file } relabelfrom; 301 302# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. 303# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). 304# system/core/init.rc requires at least cache_file and data_file_type. 305# init.<board>.rc files often include device-specific types, so 306# we just allow all file types except /system files here. 307allow init self:global_capability_class_set { chown fowner fsetid }; 308 309allow init { 310 file_type 311 -app_data_file 312 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 313 -storage_area_dir 314 -storage_area_app_dir 315 -storage_area_content_file 316 ') 317 -vm_data_file 318 -bpffs_type 319 -exec_type 320 -misc_logd_file 321 -nativetest_data_file 322 -privapp_data_file 323 -system_app_data_file 324 -system_dlkm_file_type 325 -system_file_type 326 -vendor_file_type 327}:dir { create search getattr open read setattr ioctl }; 328 329allow init { 330 file_type 331 -app_data_file 332 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 333 -storage_area_dir 334 -storage_area_app_dir 335 -storage_area_content_file 336 ') 337 -vm_data_file 338 -bpffs_type 339 -credstore_data_file 340 -exec_type 341 -keystore_data_file 342 -media_userdir_file 343 -misc_logd_file 344 -nativetest_data_file 345 -privapp_data_file 346 -shell_data_file 347 -system_app_data_file 348 -system_dlkm_file_type 349 -system_file_type 350 -system_userdir_file 351 -vendor_file_type 352 -vendor_userdir_file 353 -vold_data_file 354}:dir { write add_name remove_name rmdir relabelfrom }; 355 356allow init { 357 file_type 358 -apex_info_file 359 -app_data_file 360 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 361 -storage_area_dir 362 -storage_area_app_dir 363 -storage_area_content_file 364 ') 365 -vm_data_file 366 -bpffs_type 367 -exec_type 368 -gsi_data_file 369 -credstore_data_file 370 -keystore_data_file 371 -misc_logd_file 372 -nativetest_data_file 373 -privapp_data_file 374 -runtime_event_log_tags_file 375 -shell_data_file 376 -system_app_data_file 377 -system_dlkm_file_type 378 -system_file_type 379 -vendor_file_type 380 -vold_data_file 381 enforce_debugfs_restriction(`-debugfs_type') 382}:file { create getattr open read write setattr relabelfrom unlink map }; 383 384allow init tracefs_type:file { create_file_perms relabelfrom }; 385 386# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine 387# subcontext for action/service defined in APEXes. 388allow init apex_info_file:file r_file_perms; 389 390allow init { 391 file_type 392 -app_data_file 393 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 394 -storage_area_dir 395 -storage_area_app_dir 396 -storage_area_content_file 397 ') 398 -vm_data_file 399 -bpffs_type 400 -exec_type 401 -gsi_data_file 402 -credstore_data_file 403 -keystore_data_file 404 -misc_logd_file 405 -nativetest_data_file 406 -privapp_data_file 407 -shell_data_file 408 -system_app_data_file 409 -system_dlkm_file_type 410 -system_file_type 411 -vendor_file_type 412 -vold_data_file 413}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; 414 415allow init { 416 file_type 417 -apex_mnt_dir 418 -app_data_file 419 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 420 -storage_area_dir 421 -storage_area_app_dir 422 -storage_area_content_file 423 ') 424 -vm_data_file 425 -bpffs_type 426 -exec_type 427 -gsi_data_file 428 -credstore_data_file 429 -keystore_data_file 430 -misc_logd_file 431 -nativetest_data_file 432 -privapp_data_file 433 -shell_data_file 434 -system_app_data_file 435 -system_dlkm_file_type 436 -system_file_type 437 -vendor_file_type 438 -vold_data_file 439}:lnk_file { create getattr setattr relabelfrom unlink }; 440 441allow init cache_file:lnk_file r_file_perms; 442 443allow init { 444 file_type 445 -bpffs_type 446 -system_dlkm_file_type 447 -system_file_type 448 -vendor_file_type 449 -exec_type 450 -app_data_file 451 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 452 -storage_area_dir 453 -storage_area_app_dir 454 -storage_area_content_file 455 ') 456 -vm_data_file 457 -privapp_data_file 458}:dir_file_class_set relabelto; 459 460allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; 461allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr }; 462allow init dev_type:dir create_dir_perms; 463allow init dev_type:lnk_file create; 464 465# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on 466allow init debugfs_tracing:file w_file_perms; 467 468# Setup and control wifi event tracing (see wifi-events.rc) 469allow init debugfs_tracing_instances:dir create_dir_perms; 470allow init debugfs_tracing_instances:file w_file_perms; 471allow init debugfs_wifi_tracing:file w_file_perms; 472allow init debugfs_wifi_tracing:dir create_dir_perms; 473 474# chown/chmod on pseudo files. 475allow init { 476 fs_type 477 -bpffs_type 478 -contextmount_type 479 -keychord_device 480 -proc_type 481 -sdcard_type 482 -fusefs_type 483 -sysfs_type 484 -rootfs 485 enforce_debugfs_restriction(`-debugfs_type') 486}:file { open read setattr }; 487allow init { 488 fs_type 489 -bpffs_type 490 -contextmount_type 491 -sdcard_type 492 -fusefs_type 493 -rootfs 494}:dir { open read setattr search }; 495 496allow init { 497 binder_device 498 console_device 499 devpts 500 dm_device 501 hwbinder_device 502 input_device 503 kmsg_device 504 null_device 505 owntty_device 506 pmsg_device 507 ptmx_device 508 random_device 509 tty_device 510 zero_device 511}:chr_file { read open }; 512 513# Unlabeled file access for upgrades from 4.2. 514allow init unlabeled:dir { create_dir_perms relabelfrom }; 515allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; 516 517# Any operation that can modify the kernel ring buffer, e.g. clear 518# or a read that consumes the messages that were read. 519allow init kernel:system syslog_mod; 520allow init self:global_capability2_class_set syslog; 521 522# init access to /proc. 523r_dir_file(init, proc_net_type) 524allow init proc_filesystems:file r_file_perms; 525 526userdebug_or_eng(` 527 # Overlayfs workdir write access check during mount to permit remount,rw 528 allow init overlayfs_file:dir { relabelfrom mounton write }; 529 allow init overlayfs_file:file { append rename }; 530 allow init overlayfs_file:chr_file unlink; 531 allow init system_block_device:blk_file { write }; 532') 533 534allow init { 535 proc # b/67049235 processes /proc/<pid>/* files are mislabeled. 536 proc_bootconfig 537 proc_cmdline 538 proc_diskstats 539 proc_kmsg # Open /proc/kmsg for logd service. 540 proc_meminfo 541 proc_stat # Read /proc/stat for bootchart. 542 proc_uptime 543 proc_version 544}:file r_file_perms; 545 546allow init { 547 proc_abi 548 proc_cpu_alignment 549 proc_dirty 550 proc_hostname 551 proc_hung_task 552 proc_extra_free_kbytes 553 proc_net_type 554 proc_max_map_count 555 proc_min_free_order_shift 556 proc_overcommit_memory # /proc/sys/vm/overcommit_memory 557 proc_panic 558 proc_page_cluster 559 proc_perf 560 proc_sched 561 proc_sysrq 562 proc_watermark_boost_factor 563}:file w_file_perms; 564 565allow init { 566 proc_security 567}:file rw_file_perms; 568 569# init chmod/chown access to /proc files. 570allow init { 571 proc_cmdline 572 proc_bootconfig 573 proc_kmsg 574 proc_net 575 proc_pagetypeinfo 576 proc_qtaguid_stat 577 proc_slabinfo 578 proc_sysrq 579 proc_qtaguid_ctrl 580 proc_vmallocinfo 581}:file setattr; 582 583# init access to /sys files. 584allow init { 585 sysfs_android_usb 586 sysfs_dm_verity 587 sysfs_leds 588 sysfs_power 589 sysfs_fs_f2fs 590 sysfs_dm 591 sysfs_lru_gen_enabled 592 sysfs_pgsize_migration 593}:file w_file_perms; 594 595allow init { 596 sysfs_dt_firmware_android 597 sysfs_fs_ext4_features 598}:file r_file_perms; 599 600allow init { 601 sysfs_zram 602}:file rw_file_perms; 603 604# allow init to create loop devices with /dev/loop-control 605allow init loop_control_device:chr_file rw_file_perms; 606allow init loop_device:blk_file rw_file_perms; 607allowxperm init loop_device:blk_file ioctl { 608 LOOP_SET_FD 609 LOOP_CLR_FD 610 LOOP_CTL_GET_FREE 611 LOOP_SET_BLOCK_SIZE 612 LOOP_SET_DIRECT_IO 613 LOOP_GET_STATUS 614 LOOP_SET_STATUS64 615}; 616 617# Allow init to write to vibrator/trigger 618allow init sysfs_vibrator:file w_file_perms; 619 620# init chmod/chown access to /sys files. 621allow init { 622 sysfs_android_usb 623 sysfs_devices_system_cpu 624 sysfs_firmware_acpi_tables 625 sysfs_ipv4 626 sysfs_leds 627 sysfs_lowmemorykiller 628 sysfs_power 629 sysfs_vibrator 630 sysfs_wake_lock 631 sysfs_zram 632}:file setattr; 633 634# Set usermodehelpers. 635allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; 636 637allow init self:global_capability_class_set net_admin; 638 639# Reboot. 640allow init self:global_capability_class_set sys_boot; 641 642# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". 643# Init will also walk through the directory as part of a recursive restorecon. 644allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; 645allow init misc_logd_file:file { open create getattr setattr write }; 646 647# Support "adb shell stop" 648allow init self:global_capability_class_set kill; 649allow init domain:process { getpgid sigkill signal }; 650 651# Init creates credstore's directory on boot, and walks through 652# the directory as part of a recursive restorecon. 653allow init credstore_data_file:dir { open create read getattr setattr search }; 654allow init credstore_data_file:file { getattr }; 655 656# Init creates keystore's directory on boot, and walks through 657# the directory as part of a recursive restorecon. 658allow init keystore_data_file:dir { open create read getattr setattr search }; 659allow init keystore_data_file:file { getattr }; 660 661# Init creates vold's directory on boot, and walks through 662# the directory as part of a recursive restorecon. 663allow init vold_data_file:dir { open create read getattr setattr search }; 664allow init vold_data_file:file { getattr }; 665 666# Init creates /data/local/tmp at boot 667allow init shell_data_file:dir { open create read getattr setattr search }; 668allow init shell_data_file:file { getattr }; 669 670# Set UID, GID, and adjust capability bounding set for services. 671allow init self:global_capability_class_set { setuid setgid setpcap }; 672 673# For bootchart to read the /proc/$pid/cmdline file of each process, 674# we need to have following line to allow init to have access 675# to different domains. 676r_dir_file(init, domain) 677 678# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). 679# setexec is for services with seclabel options. 680# setfscreate is for labeling directories and socket files. 681# setsockcreate is for labeling local/unix domain sockets. 682allow init self:process { setexec setfscreate setsockcreate }; 683 684# Get file context 685allow init file_contexts_file:file r_file_perms; 686 687# sepolicy access 688allow init sepolicy_file:file r_file_perms; 689 690# Perform SELinux access checks on setting properties. 691selinux_check_access(init) 692 693# Ask the kernel for the new context on services to label their sockets. 694allow init kernel:security compute_create; 695 696# Create sockets for the services. 697allow init domain:unix_stream_socket { create bind setopt }; 698allow init domain:unix_dgram_socket { create bind setopt }; 699 700# Create /data/property and files within it. 701allow init property_data_file:dir create_dir_perms; 702allow init property_data_file:file create_file_perms; 703 704# Set any property. 705allow init property_type:property_service set; 706 707# Send an SELinux userspace denial to the kernel audit subsystem, 708# so it can be picked up and processed by logd. These denials are 709# generated when an attempt to set a property is denied by policy. 710allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; 711allow init self:global_capability_class_set audit_write; 712 713# Run "ifup lo" to bring up the localhost interface 714allow init self:udp_socket { create ioctl }; 715# in addition to unpriv ioctls granted to all domains, init also needs: 716allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; 717allow init self:global_capability_class_set net_raw; 718 719# Set scheduling info for psi monitor thread. 720# TODO: delete or revise this line b/131761776 721allow init kernel:process { getsched setsched }; 722 723# swapon() needs write access to swap device 724# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all 725allow init swap_block_device:blk_file rw_file_perms; 726# Allow to change group owner and permissions for new swap setup in mmd 727allow init swap_block_device:blk_file setattr; 728 729# Create and access /dev files without a specific type, 730# e.g. /dev/.coldboot_done, /dev/.booting 731# TODO: Move these files into their own type unless they are 732# only ever accessed by init. 733allow init device:file create_file_perms; 734 735# keychord retrieval from /dev/input/ devices 736allow init input_device:dir r_dir_perms; 737allow init input_device:chr_file rw_file_perms; 738 739# Access device mapper for setting up dm-verity 740allow init dm_device:chr_file rw_file_perms; 741allow init dm_device:blk_file rw_file_perms; 742 743# Access dm-user for OTA boot 744allow init dm_user_device:chr_file rw_file_perms; 745 746# Access metadata block device for storing dm-verity state 747allow init metadata_block_device:blk_file rw_file_perms; 748 749# Read /sys/fs/pstore/console-ramoops to detect restarts caused 750# by dm-verity detecting corrupted blocks 751allow init pstorefs:dir search; 752allow init pstorefs:file r_file_perms; 753allow init kernel:system syslog_read; 754 755# linux keyring configuration 756allow init init:key { write search setattr }; 757 758# Allow init to create /data/unencrypted 759allow init unencrypted_data_file:dir create_dir_perms; 760 761# Set encryption policy on dirs in /data 762allowxperm init { data_file_type unlabeled }:dir ioctl { 763 FS_IOC_GET_ENCRYPTION_POLICY 764 FS_IOC_SET_ENCRYPTION_POLICY 765}; 766 767# Raw writes to misc block device 768allow init misc_block_device:blk_file w_file_perms; 769 770r_dir_file(init, system_file) 771r_dir_file(init, system_dlkm_file_type) 772r_dir_file(init, vendor_file_type) 773 774allow init system_data_file:file { getattr read }; 775allow init system_data_file:lnk_file r_file_perms; 776 777# For init to be able to run shell scripts from vendor 778allow init vendor_shell_exec:file execute; 779 780# Metadata setup 781allow init vold_metadata_file:dir create_dir_perms; 782allow init vold_metadata_file:file getattr; 783allow init metadata_bootstat_file:dir create_dir_perms; 784allow init metadata_bootstat_file:file w_file_perms; 785allow init userspace_reboot_metadata_file:file w_file_perms; 786 787# Allow init to touch PSI monitors 788allow init proc_pressure_mem:file { rw_file_perms setattr }; 789 790# init is using bootstrap bionic 791use_bootstrap_libs(init) 792 793# stat the root dir of fuse filesystems (for the mount handler) 794allow init fuse:dir { search getattr }; 795 796# allow filesystem tuning 797allow init userdata_sysdev:file create_file_perms; 798 799# allow disk tuning 800allow init rootdisk_sysdev:file create_file_perms; 801 802### 803### neverallow rules 804### 805 806# The init domain is only entered via an exec based transition from the 807# kernel domain, never via setcon(). 808neverallow domain init:process dyntransition; 809neverallow { domain -kernel } init:process transition; 810neverallow init { file_type fs_type -init_exec }:file entrypoint; 811 812# Never read/follow symlinks created by shell or untrusted apps. 813neverallow init shell_data_file:lnk_file read; 814neverallow init app_data_file_type:lnk_file read; 815 816# init should never execute a program without changing to another domain. 817neverallow init { file_type fs_type }:file execute_no_trans; 818 819# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed 820# when init is executing other binaries. The use of LD_PRELOAD for init spawned 821# services is generally considered a no-no, as it injects libraries which the 822# binary was not expecting. This is especially problematic for APEXes. The use 823# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads 824# code into a process which wasn't expecting that code, with potentially 825# unexpected side effects. (b/140789528) 826neverallow init *:process noatsecure; 827 828# init can never add binder services 829neverallow init service_manager_type:service_manager { add find }; 830# init can never list binder services 831neverallow init servicemanager:service_manager list; 832 833# Init should not be creating subdirectories in /data/local/tmp 834neverallow init shell_data_file:dir { write add_name remove_name }; 835 836# Init should not access sysfs node that are not explicitly labeled. 837neverallow init sysfs:file { open write }; 838 839# No domain should be allowed to ptrace init. 840neverallow * init:process ptrace; 841 842# init owns the root of /data 843# TODO(b/140259336) We want to remove vendor_init 844# TODO(b/141108496) We want to remove toolbox 845neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; 846 847# Only init is allowed to set userspace reboot related properties. 848neverallow { domain -init } userspace_reboot_exported_prop:property_service set; 849 850neverallow init self:perf_event { kernel tracepoint read write }; 851dontaudit init self:perf_event { kernel tracepoint read write }; 852 853# Only init is allowed to set the sysprop indicating whether perf_event_open() 854# SELinux hooks were detected. 855neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 856 857# Only init can write vts.native_server.on 858neverallow { domain -init } vts_status_prop:property_service set; 859 860# Only init can write normal ro.boot. properties 861neverallow { domain -init } bootloader_prop:property_service set; 862 863# Only init can write hal.instrumentation.enable 864neverallow { domain -init } hal_instrumentation_prop:property_service set; 865 866# Only init can write ro.property_service.version 867neverallow { domain -init } property_service_version_prop:property_service set; 868 869# Only init can set keystore.boot_level 870neverallow { domain -init } keystore_listen_prop:property_service set; 871