microdroid/system/public/vendor_init.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # vendor_init is its own domain.
 type vendor_init, domain;

 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };

 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open getattr write };

 # Mount on /dev/usb-ffs/adb.
 allow vendor_init device:dir mounton;

 # Create and remove symlinks in /.
 allow vendor_init rootfs:lnk_file { create unlink };

 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
 allow vendor_init cgroup_v2:dir create_dir_perms;
 allow vendor_init cgroup_v2:file w_file_perms;

 # /config
 allow vendor_init configfs:dir mounton;
 allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;

 # Create directories under /dev/cpuctl after chowning it to system.
 allow vendor_init self:global_capability_class_set { dac_override dac_read_search };

 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };

 allow vendor_init system_data_file:dir getattr;

 allow vendor_init {
   file_type
   -exec_type
   -system_file_type
   -unlabeled
   -vendor_file_type
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };

 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };

 allow vendor_init {
   file_type
   -exec_type
   -system_file_type
   -unlabeled
   -vendor_file_type
   -apex_info_file
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };

 allow vendor_init {
   file_type
   -exec_type
   -system_file_type
   -unlabeled
   -vendor_file_type
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

 allow vendor_init {
   file_type
   -apex_mnt_dir
   -exec_type
   -system_file_type
   -unlabeled
   -vendor_file_type
 }:lnk_file { create getattr setattr relabelfrom unlink };

 allow vendor_init {
   file_type
   -exec_type
   -system_file_type
   -vendor_file_type
 }:dir_file_class_set relabelto;

 allow vendor_init dev_type:dir create_dir_perms;
 allow vendor_init dev_type:lnk_file create;

 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
 allow vendor_init debugfs_tracing:file w_file_perms;

 # chown/chmod on pseudo files.
 allow vendor_init {
   fs_type
   -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };

 allow vendor_init tracefs_type:file { open read setattr map };

 allow vendor_init {
   fs_type
   -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };

 allow vendor_init dev_type:blk_file getattr;

 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
 r_dir_file(vendor_init, proc_net_type)
 allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;

 # Write to /proc/sys/vm/page-cluster
 allow vendor_init proc_page_cluster:file w_file_perms;

 # Write to sysfs nodes.
 allow vendor_init sysfs_type:dir r_dir_perms;
 allow vendor_init sysfs_type:lnk_file read;
 allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;

 # setfscreatecon() for labeling directories and socket files.
 allow vendor_init self:process { setfscreate };

 r_dir_file(vendor_init, vendor_file_type)

 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;

 # vendor_init is using bootstrap bionic
 use_bootstrap_libs(vendor_init)

 # Get file context
 allow vendor_init file_contexts_file:file r_file_perms;

 # Allow vendor_init to (re)set nice
 allow vendor_init self:capability sys_nice;

 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
   -hw_random_device
 }:chr_file setattr;
	# vendor_init is its own domain.
	type vendor_init, domain;

	# Communication to the main init process
	allow vendor_init init:unix_stream_socket { read write };

	# Logging to kmsg
	allow vendor_init kmsg_device:chr_file { open getattr write };

	# Mount on /dev/usb-ffs/adb.
	allow vendor_init device:dir mounton;

	# Create and remove symlinks in /.
	allow vendor_init rootfs:lnk_file { create unlink };

	# Create cgroups mount points in tmpfs and mount cgroups on them.
	allow vendor_init cgroup:dir create_dir_perms;
	allow vendor_init cgroup:file w_file_perms;
	allow vendor_init cgroup_v2:dir create_dir_perms;
	allow vendor_init cgroup_v2:file w_file_perms;

	# /config
	allow vendor_init configfs:dir mounton;
	allow vendor_init configfs:dir create_dir_perms;
	allow vendor_init configfs:{ file lnk_file } create_file_perms;

	# Create directories under /dev/cpuctl after chowning it to system.
	allow vendor_init self:global_capability_class_set { dac_override dac_read_search };

	# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
	# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
	# system/core/init.rc requires at least cache_file and data_file_type.
	# init.<board>.rc files often include device-specific types, so
	# we just allow all file types except /system files here.
	allow vendor_init self:global_capability_class_set { chown fowner fsetid };

	allow vendor_init system_data_file:dir getattr;

	allow vendor_init {
	file_type
	-exec_type
	-system_file_type
	-unlabeled
	-vendor_file_type
	}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };

	allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };

	allow vendor_init {
	file_type
	-exec_type
	-system_file_type
	-unlabeled
	-vendor_file_type
	-apex_info_file
	enforce_debugfs_restriction(`-debugfs_type')
	}:file { create getattr open read write setattr relabelfrom unlink map };

	allow vendor_init {
	file_type
	-exec_type
	-system_file_type
	-unlabeled
	-vendor_file_type
	}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };

	allow vendor_init {
	file_type
	-apex_mnt_dir
	-exec_type
	-system_file_type
	-unlabeled
	-vendor_file_type
	}:lnk_file { create getattr setattr relabelfrom unlink };

	allow vendor_init {
	file_type
	-exec_type
	-system_file_type
	-vendor_file_type
	}:dir_file_class_set relabelto;

	allow vendor_init dev_type:dir create_dir_perms;
	allow vendor_init dev_type:lnk_file create;

	# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
	allow vendor_init debugfs_tracing:file w_file_perms;

	# chown/chmod on pseudo files.
	allow vendor_init {
	fs_type
	-fusefs_type
	-rootfs
	-proc_uid_time_in_state
	-proc_uid_concurrent_active_time
	-proc_uid_concurrent_policy_time
	enforce_debugfs_restriction(`-debugfs_type')
	}:file { open read setattr map };

	allow vendor_init tracefs_type:file { open read setattr map };

	allow vendor_init {
	fs_type
	-fusefs_type
	-rootfs
	-proc_uid_time_in_state
	-proc_uid_concurrent_active_time
	-proc_uid_concurrent_policy_time
	}:dir { open read setattr search };

	allow vendor_init dev_type:blk_file getattr;

	# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
	r_dir_file(vendor_init, proc_net_type)
	allow vendor_init proc_net_type:file w_file_perms;
	allow vendor_init self:global_capability_class_set net_admin;

	# Write to /proc/sys/vm/page-cluster
	allow vendor_init proc_page_cluster:file w_file_perms;

	# Write to sysfs nodes.
	allow vendor_init sysfs_type:dir r_dir_perms;
	allow vendor_init sysfs_type:lnk_file read;
	allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;

	# setfscreatecon() for labeling directories and socket files.
	allow vendor_init self:process { setfscreate };

	r_dir_file(vendor_init, vendor_file_type)

	# Vendor init can perform operations on trusted and security Extended Attributes
	allow vendor_init self:global_capability_class_set sys_admin;

	# vendor_init is using bootstrap bionic
	use_bootstrap_libs(vendor_init)

	# Get file context
	allow vendor_init file_contexts_file:file r_file_perms;

	# Allow vendor_init to (re)set nice
	allow vendor_init self:capability sys_nice;

	# chown/chmod on devices, e.g. /dev/ttyHS0
	allow vendor_init {
	dev_type
	-hw_random_device
	}:chr_file setattr;