1# init is its own domain.
2type init, domain, mlstrustedsubject;
3
4# The init domain is entered by execing init.
5type init_exec, exec_type, file_type;
6
7# /dev/__null__ node created by init.
8allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
9
10#
11# init direct restorecon calls.
12#
13# /dev/kmsg
14allow init tmpfs:chr_file relabelfrom;
15allow init kmsg_device:chr_file { write relabelto };
16# /dev/kmsg_debug
17userdebug_or_eng(`
18  allow init kmsg_debug_device:chr_file { write relabelto };
19')
20# /dev/__properties__
21allow init properties_device:dir relabelto;
22allow init properties_serial:file { write relabelto };
23allow init property_type:file { create_file_perms relabelto };
24# /dev/__properties__/property_info
25allow init properties_device:file create_file_perms;
26allow init property_info:file relabelto;
27# /dev/event-log-tags
28allow init device:file relabelfrom;
29allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
30# /dev/socket
31allow init { device socket_device }:dir relabelto;
32# /dev/random, /dev/urandom
33allow init random_device:chr_file relabelto;
34# /dev/device-mapper, /dev/block(/.*)?
35allow init tmpfs:{ chr_file blk_file } relabelfrom;
36allow init tmpfs:blk_file getattr;
37allow init block_device:{ dir blk_file lnk_file } relabelto;
38allow init dm_device:{ chr_file blk_file } relabelto;
39allow init kernel:fd use;
40# restorecon for early mount device symlinks
41allow init tmpfs:lnk_file { getattr read relabelfrom };
42allow init {
43  misc_block_device
44  recovery_block_device
45  system_block_device
46}:{ blk_file lnk_file } relabelto;
47
48# setrlimit
49allow init self:global_capability_class_set sys_resource;
50
51# Remove /dev/.booting, created before initial policy load or restorecon /dev.
52allow init tmpfs:file unlink;
53
54# Access pty created for fsck.
55allow init devpts:chr_file { read write open };
56
57# Create /dev/fscklogs files.
58allow init fscklogs:file create_file_perms;
59
60# Access /dev/__null__ node created prior to initial policy load.
61allow init tmpfs:chr_file write;
62
63# Access /dev/console.
64allow init console_device:chr_file rw_file_perms;
65
66# Access /dev/tty0.
67allow init tty_device:chr_file rw_file_perms;
68
69# Call mount(2).
70allow init self:global_capability_class_set sys_admin;
71
72# Create and mount on directories in /.
73allow init rootfs:dir create_dir_perms;
74allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
75allow init cgroup_bpf:dir { create mounton };
76
77# Mount bpf fs on sys/fs/bpf
78allow init fs_bpf:dir mounton;
79
80# Mount on /dev/usb-ffs/adb.
81allow init device:dir mounton;
82
83# Create and remove symlinks in /.
84allow init rootfs:lnk_file { create unlink };
85
86# Mount debugfs on /sys/kernel/debug.
87allow init sysfs:dir mounton;
88
89# Create cgroups mount points in tmpfs and mount cgroups on them.
90allow init tmpfs:dir create_dir_perms;
91allow init tmpfs:dir mounton;
92allow init cgroup:dir create_dir_perms;
93r_dir_file(init, cgroup)
94allow init cpuctl_device:dir { create mounton };
95
96# /config
97allow init configfs:dir mounton;
98allow init configfs:dir create_dir_perms;
99allow init configfs:{ file lnk_file } create_file_perms;
100
101# /metadata
102allow init metadata_file:dir mounton;
103
104# Use tmpfs as /data, used for booting when /data is encrypted
105allow init tmpfs:dir relabelfrom;
106
107# Create directories under /dev/cpuctl after chowning it to system.
108allow init self:global_capability_class_set dac_override;
109
110# Set system clock.
111allow init self:global_capability_class_set sys_time;
112
113allow init self:global_capability_class_set { sys_rawio mknod };
114
115# Mounting filesystems from block devices.
116allow init dev_type:blk_file r_file_perms;
117
118# Mounting filesystems.
119# Only allow relabelto for types used in context= mount options,
120# which should all be assigned the contextmount_type attribute.
121# This can be done in device-specific policy via type or typeattribute
122# declarations.
123allow init fs_type:filesystem ~relabelto;
124allow init unlabeled:filesystem ~relabelto;
125allow init contextmount_type:filesystem relabelto;
126
127# Allow read-only access to context= mounted filesystems.
128allow init contextmount_type:dir r_dir_perms;
129allow init contextmount_type:notdevfile_class_set r_file_perms;
130
131# restorecon /adb_keys or any other rootfs files and directories to a more
132# specific type.
133allow init rootfs:{ dir file } relabelfrom;
134
135# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
136# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
137# system/core/init.rc requires at least cache_file and data_file_type.
138# init.<board>.rc files often include device-specific types, so
139# we just allow all file types except /system files here.
140allow init self:global_capability_class_set { chown fowner fsetid };
141
142allow init {
143  file_type
144  -app_data_file
145  -exec_type
146  -misc_logd_file
147  -nativetest_data_file
148  -system_app_data_file
149  -system_file
150  -vendor_file_type
151}:dir { create search getattr open read setattr ioctl };
152
153allow init {
154  file_type
155  -app_data_file
156  -exec_type
157  -keystore_data_file
158  -misc_logd_file
159  -nativetest_data_file
160  -shell_data_file
161  -system_app_data_file
162  -system_file
163  -vendor_file_type
164  -vold_data_file
165}:dir { write add_name remove_name rmdir relabelfrom };
166
167allow init {
168  file_type
169  -app_data_file
170  -runtime_event_log_tags_file
171  -exec_type
172  -keystore_data_file
173  -misc_logd_file
174  -nativetest_data_file
175  -shell_data_file
176  -system_app_data_file
177  -system_file
178  -vendor_file_type
179  -vold_data_file
180}:file { create getattr open read write setattr relabelfrom unlink };
181
182allow init {
183  file_type
184  -app_data_file
185  -exec_type
186  -keystore_data_file
187  -misc_logd_file
188  -nativetest_data_file
189  -shell_data_file
190  -system_app_data_file
191  -system_file
192  -vendor_file_type
193  -vold_data_file
194}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
195
196allow init {
197  file_type
198  -app_data_file
199  -exec_type
200  -keystore_data_file
201  -misc_logd_file
202  -nativetest_data_file
203  -shell_data_file
204  -system_app_data_file
205  -system_file
206  -vendor_file_type
207  -vold_data_file
208}:lnk_file { create getattr setattr relabelfrom unlink };
209
210allow init cache_file:lnk_file r_file_perms;
211
212allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
213allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
214allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
215allow init dev_type:dir create_dir_perms;
216allow init dev_type:lnk_file create;
217
218# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
219allow init debugfs_tracing:file w_file_perms;
220
221# Setup and control wifi event tracing (see wifi-events.rc)
222allow init debugfs_tracing_instances:dir create_dir_perms;
223allow init debugfs_tracing_instances:file w_file_perms;
224allow init debugfs_wifi_tracing:file w_file_perms;
225
226# chown/chmod on pseudo files.
227allow init {
228  fs_type
229  -contextmount_type
230  -proc
231  -sdcard_type
232  -sysfs_type
233  -rootfs
234}:file { open read setattr };
235allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
236
237# init should not be able to read or open generic devices
238# TODO: auditing to see if this can be deleted entirely
239allow init {
240  dev_type
241  -kmem_device
242  -port_device
243  -device
244  -vndbinder_device
245  }:chr_file { read open };
246auditallow init {
247  dev_type
248  -alarm_device
249  -ashmem_device
250  -binder_device
251  -console_device
252  -device
253  -devpts
254  -dm_device
255  -hwbinder_device
256  -hw_random_device
257  -keychord_device
258  -kmem_device
259  -kmsg_device
260  -null_device
261  -owntty_device
262  -port_device
263  -ptmx_device
264  -random_device
265  -zero_device
266}:chr_file { read open };
267
268# chown/chmod on devices.
269allow init { dev_type -kmem_device -port_device }:chr_file setattr;
270
271# Unlabeled file access for upgrades from 4.2.
272allow init unlabeled:dir { create_dir_perms relabelfrom };
273allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
274
275# Any operation that can modify the kernel ring buffer, e.g. clear
276# or a read that consumes the messages that were read.
277allow init kernel:system syslog_mod;
278allow init self:global_capability2_class_set syslog;
279
280# init access to /proc.
281r_dir_file(init, proc_net)
282
283allow init {
284  proc_cmdline
285  proc_diskstats
286  proc_kmsg # Open /proc/kmsg for logd service.
287  proc_meminfo
288  proc_stat # Read /proc/stat for bootchart.
289  proc_uptime
290  proc_version
291}:file r_file_perms;
292
293allow init {
294  proc_abi
295  proc_dirty
296  proc_hostname
297  proc_hung_task
298  proc_extra_free_kbytes
299  proc_net
300  proc_max_map_count
301  proc_min_free_order_shift
302  proc_overcommit_memory
303  proc_panic
304  proc_page_cluster
305  proc_perf
306  proc_sched
307  proc_sysrq
308}:file w_file_perms;
309
310allow init {
311  proc_security
312}:file rw_file_perms;
313
314# init access to /sys files.
315allow init {
316  sysfs_android_usb
317  sysfs_leds
318  sysfs_power
319}:file w_file_perms;
320
321allow init {
322  sysfs_dt_firmware_android
323}:file r_file_perms;
324
325allow init {
326  sysfs_zram
327}:file rw_file_perms;
328
329# Allow init to write to vibrator/trigger
330allow init sysfs_vibrator:file w_file_perms;
331
332# init chmod/chown access to /sys files.
333allow init {
334  sysfs_android_usb
335  sysfs_devices_system_cpu
336  sysfs_ipv4
337  sysfs_leds
338  sysfs_lowmemorykiller
339  sysfs_power
340  sysfs_vibrator
341  sysfs_wake_lock
342}:file setattr;
343
344# Set usermodehelpers.
345allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
346
347allow init self:global_capability_class_set net_admin;
348
349# Reboot.
350allow init self:global_capability_class_set sys_boot;
351
352# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
353# Init will also walk through the directory as part of a recursive restorecon.
354allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
355allow init misc_logd_file:file { open create getattr setattr write };
356
357# Support "adb shell stop"
358allow init self:global_capability_class_set kill;
359allow init domain:process { getpgid sigkill signal };
360
361# Init creates keystore's directory on boot, and walks through
362# the directory as part of a recursive restorecon.
363allow init keystore_data_file:dir { open create read getattr setattr search };
364allow init keystore_data_file:file { getattr };
365
366# Init creates vold's directory on boot, and walks through
367# the directory as part of a recursive restorecon.
368allow init vold_data_file:dir { open create read getattr setattr search };
369allow init vold_data_file:file { getattr };
370
371# Init creates /data/local/tmp at boot
372allow init shell_data_file:dir { open create read getattr setattr search };
373allow init shell_data_file:file { getattr };
374
375# Set UID, GID, and adjust capability bounding set for services.
376allow init self:global_capability_class_set { setuid setgid setpcap };
377
378# For bootchart to read the /proc/$pid/cmdline file of each process,
379# we need to have following line to allow init to have access
380# to different domains.
381r_dir_file(init, domain)
382
383# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
384# setexec is for services with seclabel options.
385# setfscreate is for labeling directories and socket files.
386# setsockcreate is for labeling local/unix domain sockets.
387allow init self:process { setexec setfscreate setsockcreate };
388
389# Get file context
390allow init file_contexts_file:file r_file_perms;
391
392# sepolicy access
393allow init sepolicy_file:file r_file_perms;
394
395# Perform SELinux access checks on setting properties.
396selinux_check_access(init)
397
398# Ask the kernel for the new context on services to label their sockets.
399allow init kernel:security compute_create;
400
401# Create sockets for the services.
402allow init domain:unix_stream_socket { create bind setopt };
403allow init domain:unix_dgram_socket { create bind setopt };
404
405# Create /data/property and files within it.
406allow init property_data_file:dir create_dir_perms;
407allow init property_data_file:file create_file_perms;
408
409# Set any property.
410allow init property_type:property_service set;
411
412# Send an SELinux userspace denial to the kernel audit subsystem,
413# so it can be picked up and processed by logd. These denials are
414# generated when an attempt to set a property is denied by policy.
415allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
416allow init self:global_capability_class_set audit_write;
417
418# Run "ifup lo" to bring up the localhost interface
419allow init self:udp_socket { create ioctl };
420# in addition to unpriv ioctls granted to all domains, init also needs:
421allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
422allow init self:global_capability_class_set net_raw;
423
424# This line seems suspect, as it should not really need to
425# set scheduling parameters for a kernel domain task.
426allow init kernel:process setsched;
427
428# swapon() needs write access to swap device
429# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
430allow init swap_block_device:blk_file rw_file_perms;
431
432# Read from /dev/hw_random if present.
433# system/core/init/init.c - mix_hwrng_into_linux_rng_action
434allow init hw_random_device:chr_file r_file_perms;
435
436# Create and access /dev files without a specific type,
437# e.g. /dev/.coldboot_done, /dev/.booting
438# TODO:  Move these files into their own type unless they are
439# only ever accessed by init.
440allow init device:file create_file_perms;
441
442# keychord configuration
443allow init self:global_capability_class_set sys_tty_config;
444allow init keychord_device:chr_file rw_file_perms;
445
446# Access device mapper for setting up dm-verity
447allow init dm_device:chr_file rw_file_perms;
448allow init dm_device:blk_file rw_file_perms;
449
450# Access metadata block device for storing dm-verity state
451allow init metadata_block_device:blk_file rw_file_perms;
452
453# Read /sys/fs/pstore/console-ramoops to detect restarts caused
454# by dm-verity detecting corrupted blocks
455allow init pstorefs:dir search;
456allow init pstorefs:file r_file_perms;
457allow init kernel:system syslog_read;
458
459# linux keyring configuration
460allow init init:key { write search setattr };
461
462# Allow init to create /data/unencrypted
463allow init unencrypted_data_file:dir create_dir_perms;
464
465# Allow init to write to /proc/sys/vm/overcommit_memory
466allow init proc_overcommit_memory:file { write };
467
468# Raw writes to misc block device
469allow init misc_block_device:blk_file w_file_perms;
470
471r_dir_file(init, system_file)
472r_dir_file(init, vendor_file_type)
473
474allow init system_data_file:file { getattr read };
475allow init system_data_file:lnk_file r_file_perms;
476
477# For init to be able to run shell scripts from vendor
478allow init vendor_shell_exec:file execute;
479
480# Metadata setup
481allow init vold_metadata_file:dir create_dir_perms;
482allow init vold_metadata_file:file getattr;
483
484###
485### neverallow rules
486###
487
488# The init domain is only entered via an exec based transition from the
489# kernel domain, never via setcon().
490neverallow domain init:process dyntransition;
491neverallow { domain -kernel } init:process transition;
492neverallow init { file_type fs_type -init_exec }:file entrypoint;
493
494# Never read/follow symlinks created by shell or untrusted apps.
495neverallow init shell_data_file:lnk_file read;
496neverallow init app_data_file:lnk_file read;
497
498# init should never execute a program without changing to another domain.
499neverallow init { file_type fs_type }:file execute_no_trans;
500
501# Init never adds or uses services via service_manager.
502neverallow init service_manager_type:service_manager { add find };
503neverallow init servicemanager:service_manager list;
504
505# Init should not be creating subdirectories in /data/local/tmp
506neverallow init shell_data_file:dir { write add_name remove_name };
507
508# Init should not access sysfs node that are not explicitly labeled.
509neverallow init sysfs:file { open read write };
510