# init switches to init domain (via init.rc). type init, domain, mlstrustedsubject; tmpfs_domain(init) # setrlimit allow init self:capability sys_resource; # Remove /dev/.booting, created before initial policy load or restorecon /dev. allow init tmpfs:file unlink; # Access pty created for fsck. allow init devpts:chr_file { read write open }; # Create /dev/fscklogs files. allow init fscklogs:file create_file_perms; # Access /dev/__null__ node created prior to initial policy load. allow init tmpfs:chr_file write; # Access /dev/console. allow init console_device:chr_file rw_file_perms; # Access /dev/tty0. allow init tty_device:chr_file rw_file_perms; # Call mount(2). allow init self:capability sys_admin; # Create and mount on directories in /. allow init rootfs:dir create_dir_perms; allow init rootfs:dir mounton; # Mount on /dev/usb-ffs/adb. allow init device:dir mounton; # Create and remove symlinks in /. allow init rootfs:lnk_file { create unlink }; # Mount debugfs on /sys/kernel/debug. allow init sysfs:dir mounton; # Create cgroups mount points in tmpfs and mount cgroups on them. allow init tmpfs:dir create_dir_perms; allow init tmpfs:dir mounton; allow init cgroup:dir create_dir_perms; allow init cpuctl_device:dir { create mounton }; # Use tmpfs as /data, used for booting when /data is encrypted allow init tmpfs:dir relabelfrom; # Create directories under /dev/cpuctl after chowning it to system. allow init self:capability dac_override; # Set system clock. allow init self:capability sys_time; allow init self:capability { sys_rawio mknod }; # Mounting filesystems from block devices. allow init dev_type:blk_file r_file_perms; # Mounting filesystems. # Only allow relabelto for types used in context= mount options, # which should all be assigned the contextmount_type attribute. # This can be done in device-specific policy via type or typeattribute # declarations. allow init fs_type:filesystem ~relabelto; allow init unlabeled:filesystem ~relabelto; allow init contextmount_type:filesystem relabelto; # Allow read-only access to context= mounted filesystems. allow init contextmount_type:dir r_dir_perms; allow init contextmount_type:notdevfile_class_set r_file_perms; # restorecon /adb_keys or any other rootfs files to a more specific type. allow init rootfs:file relabelfrom; # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). # system/core/init.rc requires at least cache_file and data_file_type. # init..rc files often include device-specific types, so # we just allow all file types except /system files here. allow init self:capability { chown fowner fsetid }; allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; allow init sysfs:{ dir file lnk_file } { getattr relabelfrom }; allow init sysfs_type:{ dir file lnk_file } relabelto; allow init dev_type:dir create_dir_perms; allow init dev_type:lnk_file create; # chown/chmod on pseudo files. allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; # chown/chmod on devices. allow init { dev_type -kmem_device }:chr_file { read open setattr }; # Unlabeled file access for upgrades from 4.2. allow init unlabeled:dir { create_dir_perms relabelfrom }; allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; # Create /data/security from init.rc post-fs-data. allow init security_file:dir { create setattr }; # Reload policy upon setprop selinux.reload_policy 1. r_dir_file(init, security_file) allow init kernel:security load_policy; # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. allow init kernel:system syslog_mod; allow init self:capability2 syslog; # Set usermodehelpers and /proc security settings. allow init usermodehelper:file rw_file_perms; allow init proc_security:file rw_file_perms; # Write to /proc/sys/kernel/panic_on_oops. allow init proc:file w_file_perms; # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. allow init proc_net:file w_file_perms; allow init self:capability net_admin; # Write to /proc/sysrq-trigger. allow init proc_sysrq:file w_file_perms; # Reboot. allow init self:capability sys_boot; # Write to sysfs nodes. allow init sysfs_type:dir r_dir_perms; allow init sysfs_type:file w_file_perms; # Transitions to seclabel processes in init.rc domain_trans(init, rootfs, adbd) domain_trans(init, rootfs, healthd) domain_trans(init, rootfs, slideshow) recovery_only(` domain_trans(init, rootfs, recovery) ') domain_trans(init, shell_exec, shell) domain_trans(init, rootfs, ueventd) domain_trans(init, rootfs, watchdogd) # Support "adb shell stop" allow init self:capability kill; allow init domain:process sigkill; # Init creates keystore's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init keystore_data_file:dir { open create read getattr setattr search }; allow init keystore_data_file:file { getattr }; # Init creates vold's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init vold_data_file:dir { open create read getattr setattr search }; allow init vold_data_file:file { getattr }; # Init creates /data/local/tmp at boot allow init shell_data_file:dir { open create read getattr setattr search }; allow init shell_data_file:file { getattr }; # Set UID and GID for services. allow init self:capability { setuid setgid }; # For bootchart to read the /proc/$pid/cmdline file of each process, # we need to have following line to allow init to have access # to different domains. r_dir_file(init, domain) # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). # setexec is for services with seclabel options. # setfscreate is for labeling directories and socket files. # setsockcreate is for labeling local/unix domain sockets. allow init self:process { setexec setfscreate setsockcreate }; # Perform SELinux access checks on setting properties. selinux_check_access(init) # Ask the kernel for the new context on services to label their sockets. allow init kernel:security compute_create; # Create sockets for the services. allow init domain:unix_stream_socket { create bind }; allow init domain:unix_dgram_socket { create bind }; # Create /data/property and files within it. allow init property_data_file:dir create_dir_perms; allow init property_data_file:file create_file_perms; # Set any property. allow init property_type:property_service set; # Run "ifup lo" to bring up the localhost interface allow init self:udp_socket { create ioctl }; allow init self:capability net_raw; # This line seems suspect, as it should not really need to # set scheduling parameters for a kernel domain task. allow init kernel:process setsched; # swapon() needs write access to swap device # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all allow init swap_block_device:blk_file rw_file_perms; # Read from /dev/hw_random if present. # system/core/init/init.c - mix_hwrng_into_linux_rng_action allow init hw_random_device:chr_file r_file_perms; # Create and access /dev files without a specific type, # e.g. /dev/.coldboot_done, /dev/.booting # TODO: Move these files into their own type unless they are # only ever accessed by init. allow init device:file create_file_perms; # Access character devices without a specific type, # e.g. /dev/keychord. # TODO: Move these devices into their own type unless they # are only ever accessed by init. allow init device:chr_file { rw_file_perms setattr }; # keychord configuration allow init self:capability sys_tty_config; # Access device mapper for setting up dm-verity allow init dm_device:chr_file rw_file_perms; allow init dm_device:blk_file rw_file_perms; # Access metadata block device for storing dm-verity state allow init metadata_block_device:blk_file rw_file_perms; # Read /sys/fs/pstore/console-ramoops to detect restarts caused # by dm-verity detecting corrupted blocks allow init pstorefs:dir search; allow init pstorefs:file r_file_perms; # linux keyring configuration allow init init:key { write search setattr }; # Allow init to link temp fs to unencrypted data on userdata allow init tmpfs:lnk_file { create read getattr relabelfrom }; # Allow init to manipulate /data/unencrypted allow init unencrypted_data_file:{ file lnk_file } create_file_perms; allow init unencrypted_data_file:dir create_dir_perms; unix_socket_connect(init, vold, vold) ### ### neverallow rules ### # The init domain is only entered via setcon from the kernel domain, # never via an exec-based transition. neverallow { domain -kernel} init:process dyntransition; neverallow domain init:process transition; neverallow init { file_type fs_type }:file entrypoint; # Never read/follow symlinks created by shell or untrusted apps. neverallow init shell_data_file:lnk_file read; neverallow init app_data_file:lnk_file read; # init should never execute a program without changing to another domain. neverallow init { file_type fs_type }:file execute_no_trans;