| # init is its own domain. |
| type init, domain, mlstrustedsubject; |
| type init_exec, system_file_type, exec_type, file_type; |
| type init_tmpfs, file_type; |
| |
| # /dev/__null__ node created by init. |
| allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; |
| |
| # |
| # init direct restorecon calls. |
| # |
| # /dev/kmsg |
| allow init tmpfs:chr_file relabelfrom; |
| allow init kmsg_device:chr_file { getattr write relabelto }; |
| # /dev/kmsg_debug |
| userdebug_or_eng(` |
| allow init kmsg_debug_device:chr_file { open write relabelto }; |
| ') |
| # /dev/__properties__ |
| allow init properties_device:dir relabelto; |
| allow init properties_serial:file { write relabelto }; |
| allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; |
| # /dev/__properties__/property_info |
| allow init properties_device:file create_file_perms; |
| allow init property_info:file relabelto; |
| # /dev/event-log-tags |
| allow init device:file relabelfrom; |
| allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; |
| # /dev/socket |
| allow init { device socket_device }:dir relabelto; |
| # allow init to establish connection and communicate with lmkd |
| unix_socket_connect(init, lmkd, lmkd) |
| # Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom |
| allow init { null_device ptmx_device random_device } : chr_file relabelto; |
| # /dev/device-mapper, /dev/block(/.*)? |
| allow init tmpfs:{ chr_file blk_file } relabelfrom; |
| allow init tmpfs:blk_file getattr; |
| allow init block_device:{ dir blk_file lnk_file } relabelto; |
| allow init dm_device:{ chr_file blk_file } relabelto; |
| allow init kernel:fd use; |
| # restorecon for early mount device symlinks |
| allow init tmpfs:lnk_file { getattr read relabelfrom }; |
| allow init { |
| metadata_block_device |
| misc_block_device |
| recovery_block_device |
| system_block_device |
| userdata_block_device |
| }:{ blk_file lnk_file } relabelto; |
| |
| allow init super_block_device:lnk_file relabelto; |
| |
| # Create /mnt/sdcard -> /storage/self/primary symlink. |
| allow init mnt_sdcard_file:lnk_file create; |
| |
| # setrlimit |
| allow init self:global_capability_class_set sys_resource; |
| |
| # Remove /dev/.booting and load /debug_ramdisk/* files |
| allow init tmpfs:file { getattr unlink }; |
| |
| # Access pty created for fsck. |
| allow init devpts:chr_file { read write open }; |
| |
| # Create /dev/fscklogs files. |
| allow init fscklogs:file create_file_perms; |
| |
| # Access /dev/__null__ node created prior to initial policy load. |
| allow init tmpfs:chr_file write; |
| |
| # Access /dev/console. |
| allow init console_device:chr_file rw_file_perms; |
| |
| # Access /dev/tty0. |
| allow init tty_device:chr_file rw_file_perms; |
| |
| # Call mount(2). |
| allow init self:global_capability_class_set sys_admin; |
| |
| # Call setns(2). |
| allow init self:global_capability_class_set sys_chroot; |
| |
| # Create and mount on directories in /. |
| allow init rootfs:dir create_dir_perms; |
| allow init { |
| rootfs |
| cache_file |
| cgroup |
| linkerconfig_file |
| storage_file |
| mnt_user_file |
| system_data_file |
| system_data_root_file |
| system_file |
| vendor_file |
| postinstall_mnt_dir |
| mirror_data_file |
| }:dir mounton; |
| allow init cgroup_bpf:dir { create mounton }; |
| |
| # Mount bpf fs on sys/fs/bpf |
| allow init fs_bpf:dir mounton; |
| |
| # Mount on /dev/usb-ffs/adb. |
| allow init device:dir mounton; |
| |
| # Mount tmpfs on /apex |
| allow init apex_mnt_dir:dir mounton; |
| |
| # Bind-mount on /system/apex/com.android.art |
| allow init art_apex_dir:dir mounton; |
| |
| # Create and remove symlinks in /. |
| allow init rootfs:lnk_file { create unlink }; |
| |
| # Mount debugfs on /sys/kernel/debug. |
| allow init sysfs:dir mounton; |
| |
| # Create cgroups mount points in tmpfs and mount cgroups on them. |
| allow init tmpfs:dir create_dir_perms; |
| allow init tmpfs:dir mounton; |
| allow init cgroup:dir create_dir_perms; |
| allow init cgroup:file rw_file_perms; |
| allow init cgroup_rc_file:file rw_file_perms; |
| allow init cgroup_desc_file:file r_file_perms; |
| allow init vendor_cgroup_desc_file:file r_file_perms; |
| |
| # /config |
| allow init configfs:dir mounton; |
| allow init configfs:dir create_dir_perms; |
| allow init configfs:{ file lnk_file } create_file_perms; |
| |
| # /metadata |
| allow init metadata_file:dir mounton; |
| |
| # Use tmpfs as /data, used for booting when /data is encrypted |
| allow init tmpfs:dir relabelfrom; |
| |
| # Create directories under /dev/cpuctl after chowning it to system. |
| allow init self:global_capability_class_set { dac_override dac_read_search }; |
| |
| # Set system clock. |
| allow init self:global_capability_class_set sys_time; |
| |
| allow init self:global_capability_class_set { sys_rawio mknod }; |
| |
| # Mounting filesystems from block devices. |
| allow init dev_type:blk_file r_file_perms; |
| allowxperm init dev_type:blk_file ioctl BLKROSET; |
| |
| # Mounting filesystems. |
| # Only allow relabelto for types used in context= mount options, |
| # which should all be assigned the contextmount_type attribute. |
| # This can be done in device-specific policy via type or typeattribute |
| # declarations. |
| allow init fs_type:filesystem ~relabelto; |
| allow init unlabeled:filesystem ~relabelto; |
| allow init contextmount_type:filesystem relabelto; |
| |
| # Allow read-only access to context= mounted filesystems. |
| allow init contextmount_type:dir r_dir_perms; |
| allow init contextmount_type:notdevfile_class_set r_file_perms; |
| |
| # restorecon /adb_keys or any other rootfs files and directories to a more |
| # specific type. |
| allow init rootfs:{ dir file } relabelfrom; |
| |
| # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. |
| # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). |
| # system/core/init.rc requires at least cache_file and data_file_type. |
| # init.<board>.rc files often include device-specific types, so |
| # we just allow all file types except /system files here. |
| allow init self:global_capability_class_set { chown fowner fsetid }; |
| |
| allow init { |
| file_type |
| -app_data_file |
| -exec_type |
| -misc_logd_file |
| -nativetest_data_file |
| -privapp_data_file |
| -system_app_data_file |
| -system_file_type |
| -vendor_file_type |
| }:dir { create search getattr open read setattr ioctl }; |
| |
| allow init { |
| file_type |
| -app_data_file |
| -exec_type |
| -iorapd_data_file |
| -credstore_data_file |
| -keystore_data_file |
| -misc_logd_file |
| -nativetest_data_file |
| -privapp_data_file |
| -shell_data_file |
| -system_app_data_file |
| -system_file_type |
| -vendor_file_type |
| -vold_data_file |
| }:dir { write add_name remove_name rmdir relabelfrom }; |
| |
| allow init { |
| file_type |
| -app_data_file |
| -exec_type |
| -gsi_data_file |
| -iorapd_data_file |
| -credstore_data_file |
| -keystore_data_file |
| -misc_logd_file |
| -nativetest_data_file |
| -privapp_data_file |
| -runtime_event_log_tags_file |
| -shell_data_file |
| -system_app_data_file |
| -system_file_type |
| -vendor_file_type |
| -vold_data_file |
| }:file { create getattr open read write setattr relabelfrom unlink map }; |
| |
| allow init { |
| file_type |
| -app_data_file |
| -exec_type |
| -gsi_data_file |
| -iorapd_data_file |
| -credstore_data_file |
| -keystore_data_file |
| -misc_logd_file |
| -nativetest_data_file |
| -privapp_data_file |
| -shell_data_file |
| -system_app_data_file |
| -system_file_type |
| -vendor_file_type |
| -vold_data_file |
| }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; |
| |
| allow init { |
| file_type |
| -apex_mnt_dir |
| -app_data_file |
| -exec_type |
| -gsi_data_file |
| -iorapd_data_file |
| -credstore_data_file |
| -keystore_data_file |
| -misc_logd_file |
| -nativetest_data_file |
| -privapp_data_file |
| -shell_data_file |
| -system_app_data_file |
| -system_file_type |
| -vendor_file_type |
| -vold_data_file |
| }:lnk_file { create getattr setattr relabelfrom unlink }; |
| |
| allow init cache_file:lnk_file r_file_perms; |
| |
| allow init { |
| file_type |
| -system_file_type |
| -vendor_file_type |
| -exec_type |
| -app_data_file |
| -privapp_data_file |
| }:dir_file_class_set relabelto; |
| |
| allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; |
| allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; |
| allow init dev_type:dir create_dir_perms; |
| allow init dev_type:lnk_file create; |
| |
| # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on |
| allow init debugfs_tracing:file w_file_perms; |
| |
| # Setup and control wifi event tracing (see wifi-events.rc) |
| allow init debugfs_tracing_instances:dir create_dir_perms; |
| allow init debugfs_tracing_instances:file w_file_perms; |
| allow init debugfs_wifi_tracing:file w_file_perms; |
| |
| # chown/chmod on pseudo files. |
| allow init { |
| fs_type |
| -contextmount_type |
| -keychord_device |
| -proc_type |
| -sdcard_type |
| -sysfs_type |
| -rootfs |
| }:file { open read setattr }; |
| allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; |
| |
| allow init { |
| binder_device |
| console_device |
| devpts |
| dm_device |
| hwbinder_device |
| hw_random_device |
| input_device |
| kmsg_device |
| null_device |
| owntty_device |
| pmsg_device |
| ptmx_device |
| random_device |
| tty_device |
| zero_device |
| }:chr_file { read open }; |
| |
| # chown/chmod on devices. |
| allow init { |
| dev_type |
| -keychord_device |
| -port_device |
| }:chr_file setattr; |
| |
| # Unlabeled file access for upgrades from 4.2. |
| allow init unlabeled:dir { create_dir_perms relabelfrom }; |
| allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; |
| |
| # Any operation that can modify the kernel ring buffer, e.g. clear |
| # or a read that consumes the messages that were read. |
| allow init kernel:system syslog_mod; |
| allow init self:global_capability2_class_set syslog; |
| |
| # init access to /proc. |
| r_dir_file(init, proc_net_type) |
| allow init proc_filesystems:file r_file_perms; |
| |
| userdebug_or_eng(` |
| # Overlayfs workdir write access check during mount to permit remount,rw |
| allow init overlayfs_file:dir { relabelfrom mounton write }; |
| allow init overlayfs_file:file { append }; |
| allow init system_block_device:blk_file { write }; |
| ') |
| |
| allow init { |
| proc # b/67049235 processes /proc/<pid>/* files are mislabeled. |
| proc_cmdline |
| proc_diskstats |
| proc_kmsg # Open /proc/kmsg for logd service. |
| proc_meminfo |
| proc_stat # Read /proc/stat for bootchart. |
| proc_uptime |
| proc_version |
| }:file r_file_perms; |
| |
| allow init { |
| proc_abi |
| proc_dirty |
| proc_hostname |
| proc_hung_task |
| proc_extra_free_kbytes |
| proc_net_type |
| proc_max_map_count |
| proc_min_free_order_shift |
| proc_overcommit_memory # /proc/sys/vm/overcommit_memory |
| proc_panic |
| proc_page_cluster |
| proc_perf |
| proc_sched |
| proc_sysrq |
| }:file w_file_perms; |
| |
| allow init { |
| proc_security |
| }:file rw_file_perms; |
| |
| # init chmod/chown access to /proc files. |
| allow init { |
| proc_cmdline |
| proc_kmsg |
| proc_net |
| proc_qtaguid_stat |
| proc_slabinfo |
| proc_sysrq |
| proc_qtaguid_ctrl |
| proc_vmallocinfo |
| }:file setattr; |
| |
| # init access to /sys files. |
| allow init { |
| sysfs_android_usb |
| sysfs_dm_verity |
| sysfs_leds |
| sysfs_power |
| sysfs_fs_f2fs |
| sysfs_dm |
| }:file w_file_perms; |
| |
| allow init { |
| sysfs_dt_firmware_android |
| sysfs_fs_ext4_features |
| }:file r_file_perms; |
| |
| allow init { |
| sysfs_zram |
| }:file rw_file_perms; |
| |
| # allow init to create loop devices with /dev/loop-control |
| allow init loop_control_device:chr_file rw_file_perms; |
| allow init loop_device:blk_file rw_file_perms; |
| allowxperm init loop_device:blk_file ioctl { |
| LOOP_SET_FD |
| LOOP_CLR_FD |
| LOOP_CTL_GET_FREE |
| LOOP_SET_BLOCK_SIZE |
| LOOP_SET_DIRECT_IO |
| }; |
| |
| # Allow init to write to vibrator/trigger |
| allow init sysfs_vibrator:file w_file_perms; |
| |
| # init chmod/chown access to /sys files. |
| allow init { |
| sysfs_android_usb |
| sysfs_devices_system_cpu |
| sysfs_ipv4 |
| sysfs_leds |
| sysfs_lowmemorykiller |
| sysfs_power |
| sysfs_vibrator |
| sysfs_wake_lock |
| sysfs_zram |
| }:file setattr; |
| |
| # Set usermodehelpers. |
| allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; |
| |
| allow init self:global_capability_class_set net_admin; |
| |
| # Reboot. |
| allow init self:global_capability_class_set sys_boot; |
| |
| # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". |
| # Init will also walk through the directory as part of a recursive restorecon. |
| allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; |
| allow init misc_logd_file:file { open create getattr setattr write }; |
| |
| # Support "adb shell stop" |
| allow init self:global_capability_class_set kill; |
| allow init domain:process { getpgid sigkill signal }; |
| |
| # Init creates credstore's directory on boot, and walks through |
| # the directory as part of a recursive restorecon. |
| allow init credstore_data_file:dir { open create read getattr setattr search }; |
| allow init credstore_data_file:file { getattr }; |
| |
| # Init creates keystore's directory on boot, and walks through |
| # the directory as part of a recursive restorecon. |
| allow init keystore_data_file:dir { open create read getattr setattr search }; |
| allow init keystore_data_file:file { getattr }; |
| |
| # Init creates vold's directory on boot, and walks through |
| # the directory as part of a recursive restorecon. |
| allow init vold_data_file:dir { open create read getattr setattr search }; |
| allow init vold_data_file:file { getattr }; |
| |
| # Init creates /data/local/tmp at boot |
| allow init shell_data_file:dir { open create read getattr setattr search }; |
| allow init shell_data_file:file { getattr }; |
| |
| # Set UID, GID, and adjust capability bounding set for services. |
| allow init self:global_capability_class_set { setuid setgid setpcap }; |
| |
| # For bootchart to read the /proc/$pid/cmdline file of each process, |
| # we need to have following line to allow init to have access |
| # to different domains. |
| r_dir_file(init, domain) |
| |
| # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). |
| # setexec is for services with seclabel options. |
| # setfscreate is for labeling directories and socket files. |
| # setsockcreate is for labeling local/unix domain sockets. |
| allow init self:process { setexec setfscreate setsockcreate }; |
| |
| # Get file context |
| allow init file_contexts_file:file r_file_perms; |
| |
| # sepolicy access |
| allow init sepolicy_file:file r_file_perms; |
| |
| # Perform SELinux access checks on setting properties. |
| selinux_check_access(init) |
| |
| # Ask the kernel for the new context on services to label their sockets. |
| allow init kernel:security compute_create; |
| |
| # Create sockets for the services. |
| allow init domain:unix_stream_socket { create bind setopt }; |
| allow init domain:unix_dgram_socket { create bind setopt }; |
| |
| # Create /data/property and files within it. |
| allow init property_data_file:dir create_dir_perms; |
| allow init property_data_file:file create_file_perms; |
| |
| # Set any property. |
| allow init property_type:property_service set; |
| |
| # Send an SELinux userspace denial to the kernel audit subsystem, |
| # so it can be picked up and processed by logd. These denials are |
| # generated when an attempt to set a property is denied by policy. |
| allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; |
| allow init self:global_capability_class_set audit_write; |
| |
| # Run "ifup lo" to bring up the localhost interface |
| allow init self:udp_socket { create ioctl }; |
| # in addition to unpriv ioctls granted to all domains, init also needs: |
| allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; |
| allow init self:global_capability_class_set net_raw; |
| |
| # Set scheduling info for psi monitor thread. |
| # TODO: delete or revise this line b/131761776 |
| allow init kernel:process { getsched setsched }; |
| |
| # swapon() needs write access to swap device |
| # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all |
| allow init swap_block_device:blk_file rw_file_perms; |
| |
| # Read from /dev/hw_random if present. |
| # system/core/init/init.c - mix_hwrng_into_linux_rng_action |
| allow init hw_random_device:chr_file r_file_perms; |
| |
| # Create and access /dev files without a specific type, |
| # e.g. /dev/.coldboot_done, /dev/.booting |
| # TODO: Move these files into their own type unless they are |
| # only ever accessed by init. |
| allow init device:file create_file_perms; |
| |
| # keychord retrieval from /dev/input/ devices |
| allow init input_device:dir r_dir_perms; |
| allow init input_device:chr_file rw_file_perms; |
| |
| # Access device mapper for setting up dm-verity |
| allow init dm_device:chr_file rw_file_perms; |
| allow init dm_device:blk_file rw_file_perms; |
| |
| # Access metadata block device for storing dm-verity state |
| allow init metadata_block_device:blk_file rw_file_perms; |
| |
| # Read /sys/fs/pstore/console-ramoops to detect restarts caused |
| # by dm-verity detecting corrupted blocks |
| allow init pstorefs:dir search; |
| allow init pstorefs:file r_file_perms; |
| allow init kernel:system syslog_read; |
| |
| # linux keyring configuration |
| allow init init:key { write search setattr }; |
| |
| # Allow init to create /data/unencrypted |
| allow init unencrypted_data_file:dir create_dir_perms; |
| |
| # Set encryption policy on dirs in /data |
| allowxperm init { data_file_type unlabeled }:dir ioctl { |
| FS_IOC_GET_ENCRYPTION_POLICY |
| FS_IOC_SET_ENCRYPTION_POLICY |
| }; |
| |
| # Raw writes to misc block device |
| allow init misc_block_device:blk_file w_file_perms; |
| |
| r_dir_file(init, system_file) |
| r_dir_file(init, vendor_file_type) |
| |
| allow init system_data_file:file { getattr read }; |
| allow init system_data_file:lnk_file r_file_perms; |
| |
| # For init to be able to run shell scripts from vendor |
| allow init vendor_shell_exec:file execute; |
| |
| # Metadata setup |
| allow init vold_metadata_file:dir create_dir_perms; |
| allow init vold_metadata_file:file getattr; |
| allow init metadata_bootstat_file:dir create_dir_perms; |
| allow init metadata_bootstat_file:file w_file_perms; |
| |
| # Allow init to touch PSI monitors |
| allow init proc_pressure_mem:file { rw_file_perms setattr }; |
| |
| # init is using bootstrap bionic |
| allow init system_bootstrap_lib_file:dir r_dir_perms; |
| allow init system_bootstrap_lib_file:file { execute read open getattr map }; |
| |
| # stat the root dir of fuse filesystems (for the mount handler) |
| allow init fuse:dir { search getattr }; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # The init domain is only entered via an exec based transition from the |
| # kernel domain, never via setcon(). |
| neverallow domain init:process dyntransition; |
| neverallow { domain -kernel } init:process transition; |
| neverallow init { file_type fs_type -init_exec }:file entrypoint; |
| |
| # Never read/follow symlinks created by shell or untrusted apps. |
| neverallow init shell_data_file:lnk_file read; |
| neverallow init { app_data_file privapp_data_file }:lnk_file read; |
| |
| # init should never execute a program without changing to another domain. |
| neverallow init { file_type fs_type }:file execute_no_trans; |
| |
| # The use of sensitive environment variables, such as LD_PRELOAD, is disallowed |
| # when init is executing other binaries. The use of LD_PRELOAD for init spawned |
| # services is generally considered a no-no, as it injects libraries which the |
| # binary was not expecting. This is especially problematic for APEXes. The use |
| # of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads |
| # code into a process which wasn't expecting that code, with potentially |
| # unexpected side effects. (b/140789528) |
| neverallow init *:process noatsecure; |
| |
| # init can never add binder services |
| neverallow init service_manager_type:service_manager { add find }; |
| # init can never list binder services |
| neverallow init servicemanager:service_manager list; |
| |
| # Init should not be creating subdirectories in /data/local/tmp |
| neverallow init shell_data_file:dir { write add_name remove_name }; |
| |
| # Init should not access sysfs node that are not explicitly labeled. |
| neverallow init sysfs:file { open read write }; |
| |
| # No domain should be allowed to ptrace init. |
| neverallow * init:process ptrace; |
| |
| # init owns the root of /data |
| # TODO(b/140259336) We want to remove vendor_init |
| # TODO(b/141108496) We want to remove toolbox |
| neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; |