public/vendor_init.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # vendor_init is its own domain.
 type vendor_init, domain, mlstrustedsubject;

 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };

 # Vendor init shouldn't communicate with any vendor process, nor most system processes.
 neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });

 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };

 # Mount on /dev/usb-ffs/adb.
 allow vendor_init device:dir mounton;

 # Create and remove symlinks in /.
 allow vendor_init rootfs:lnk_file { create unlink };

 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;

 # /config
 allow vendor_init configfs:dir mounton;
 allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;

 # Create directories under /dev/cpuctl after chowning it to system.
 allow vendor_init self:global_capability_class_set dac_override;

 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };

 allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
   -system_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };

 allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
   -runtime_event_log_tags_file
   -system_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink };

 allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
   -system_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

 allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
   -system_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };

 allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
   -system_file
   -vendor_file_type
   -vold_metadata_file
 }:dir_file_class_set relabelto;

 allow vendor_init dev_type:dir create_dir_perms;
 allow vendor_init dev_type:lnk_file create;

 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
 allow vendor_init debugfs_tracing:file w_file_perms;

 # chown/chmod on pseudo files.
 allow vendor_init {
   fs_type
   -contextmount_type
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
 }:file { open read setattr };

 allow vendor_init {
   fs_type
   -contextmount_type
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };

 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
   -kmem_device
   -port_device
   -lowpan_device
   -hw_random_device
 }:chr_file setattr;

 allow vendor_init dev_type:blk_file getattr;

 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
 r_dir_file(vendor_init, proc_net)
 allow vendor_init proc_net:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;

 # Write to /proc/sys/vm/page-cluster
 allow vendor_init proc_page_cluster:file w_file_perms;

 # Write to sysfs nodes.
 allow vendor_init sysfs_type:dir r_dir_perms;
 allow vendor_init sysfs_type:lnk_file read;
 allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;

 # setfscreatecon() for labeling directories and socket files.
 allow vendor_init self:process { setfscreate };

 r_dir_file(vendor_init, vendor_file_type)

 # Vendor init can read properties
 allow vendor_init serialno_prop:file { getattr open read };

 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;

 not_compatible_property(`
     set_prop(vendor_init, {
       property_type
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop
       -pm_prop
       -system_boot_reason_prop
       -bootloader_boot_reason_prop
       -last_boot_reason_prop
     })
 ')

 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_config_prop)
 set_prop(vendor_init, exported_dalvik_prop)
 set_prop(vendor_init, exported_default_prop)
 set_prop(vendor_init, exported_ffs_prop)
 set_prop(vendor_init, exported_overlay_prop)
 set_prop(vendor_init, exported_pm_prop)
 set_prop(vendor_init, exported_radio_prop)
 set_prop(vendor_init, exported_system_radio_prop)
 set_prop(vendor_init, exported2_config_prop)
 set_prop(vendor_init, exported2_system_prop)
 set_prop(vendor_init, exported2_vold_prop)
 set_prop(vendor_init, exported3_default_prop)
 set_prop(vendor_init, exported3_radio_prop)
 set_prop(vendor_init, logd_prop)
 set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, vendor_default_prop)
 set_prop(vendor_init, wifi_log_prop)

 get_prop(vendor_init, exported2_radio_prop)
 get_prop(vendor_init, exported3_system_prop)
	# vendor_init is its own domain.
	type vendor_init, domain, mlstrustedsubject;

	# Communication to the main init process
	allow vendor_init init:unix_stream_socket { read write };

	# Vendor init shouldn't communicate with any vendor process, nor most system processes.
	neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });

	# Logging to kmsg
	allow vendor_init kmsg_device:chr_file { open write };

	# Mount on /dev/usb-ffs/adb.
	allow vendor_init device:dir mounton;

	# Create and remove symlinks in /.
	allow vendor_init rootfs:lnk_file { create unlink };

	# Create cgroups mount points in tmpfs and mount cgroups on them.
	allow vendor_init cgroup:dir create_dir_perms;

	# /config
	allow vendor_init configfs:dir mounton;
	allow vendor_init configfs:dir create_dir_perms;
	allow vendor_init configfs:{ file lnk_file } create_file_perms;

	# Create directories under /dev/cpuctl after chowning it to system.
	allow vendor_init self:global_capability_class_set dac_override;

	# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
	# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
	# system/core/init.rc requires at least cache_file and data_file_type.
	# init.<board>.rc files often include device-specific types, so
	# we just allow all file types except /system files here.
	allow vendor_init self:global_capability_class_set { chown fowner fsetid };

	allow vendor_init {
	file_type
	-core_data_file_type
	-exec_type
	-system_file
	-unlabeled
	-vendor_file_type
	-vold_metadata_file
	}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };

	allow vendor_init {
	file_type
	-core_data_file_type
	-exec_type
	-runtime_event_log_tags_file
	-system_file
	-unlabeled
	-vendor_file_type
	-vold_metadata_file
	}:file { create getattr open read write setattr relabelfrom unlink };

	allow vendor_init {
	file_type
	-core_data_file_type
	-exec_type
	-system_file
	-unlabeled
	-vendor_file_type
	-vold_metadata_file
	}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

	allow vendor_init {
	file_type
	-core_data_file_type
	-exec_type
	-system_file
	-unlabeled
	-vendor_file_type
	-vold_metadata_file
	}:lnk_file { create getattr setattr relabelfrom unlink };

	allow vendor_init {
	file_type
	-core_data_file_type
	-exec_type
	-system_file
	-vendor_file_type
	-vold_metadata_file
	}:dir_file_class_set relabelto;

	allow vendor_init dev_type:dir create_dir_perms;
	allow vendor_init dev_type:lnk_file create;

	# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
	allow vendor_init debugfs_tracing:file w_file_perms;

	# chown/chmod on pseudo files.
	allow vendor_init {
	fs_type
	-contextmount_type
	-sdcard_type
	-rootfs
	-proc_uid_time_in_state
	-proc_uid_concurrent_active_time
	-proc_uid_concurrent_policy_time
	}:file { open read setattr };

	allow vendor_init {
	fs_type
	-contextmount_type
	-sdcard_type
	-rootfs
	-proc_uid_time_in_state
	-proc_uid_concurrent_active_time
	-proc_uid_concurrent_policy_time
	}:dir { open read setattr search };

	# chown/chmod on devices, e.g. /dev/ttyHS0
	allow vendor_init {
	dev_type
	-kmem_device
	-port_device
	-lowpan_device
	-hw_random_device
	}:chr_file setattr;

	allow vendor_init dev_type:blk_file getattr;

	# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
	r_dir_file(vendor_init, proc_net)
	allow vendor_init proc_net:file w_file_perms;
	allow vendor_init self:global_capability_class_set net_admin;

	# Write to /proc/sys/vm/page-cluster
	allow vendor_init proc_page_cluster:file w_file_perms;

	# Write to sysfs nodes.
	allow vendor_init sysfs_type:dir r_dir_perms;
	allow vendor_init sysfs_type:lnk_file read;
	allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;

	# setfscreatecon() for labeling directories and socket files.
	allow vendor_init self:process { setfscreate };

	r_dir_file(vendor_init, vendor_file_type)

	# Vendor init can read properties
	allow vendor_init serialno_prop:file { getattr open read };

	# Vendor init can perform operations on trusted and security Extended Attributes
	allow vendor_init self:global_capability_class_set sys_admin;

	not_compatible_property(`
	set_prop(vendor_init, {
	property_type
	-restorecon_prop
	-netd_stable_secret_prop
	-firstboot_prop
	-pm_prop
	-system_boot_reason_prop
	-bootloader_boot_reason_prop
	-last_boot_reason_prop
	})
	')

	set_prop(vendor_init, debug_prop)
	set_prop(vendor_init, exported_config_prop)
	set_prop(vendor_init, exported_dalvik_prop)
	set_prop(vendor_init, exported_default_prop)
	set_prop(vendor_init, exported_ffs_prop)
	set_prop(vendor_init, exported_overlay_prop)
	set_prop(vendor_init, exported_pm_prop)
	set_prop(vendor_init, exported_radio_prop)
	set_prop(vendor_init, exported_system_radio_prop)
	set_prop(vendor_init, exported2_config_prop)
	set_prop(vendor_init, exported2_system_prop)
	set_prop(vendor_init, exported2_vold_prop)
	set_prop(vendor_init, exported3_default_prop)
	set_prop(vendor_init, exported3_radio_prop)
	set_prop(vendor_init, logd_prop)
	set_prop(vendor_init, log_tag_prop)
	set_prop(vendor_init, log_prop)
	set_prop(vendor_init, serialno_prop)
	set_prop(vendor_init, vendor_default_prop)
	set_prop(vendor_init, wifi_log_prop)

	get_prop(vendor_init, exported2_radio_prop)
	get_prop(vendor_init, exported3_system_prop)