1# vendor_init is its own domain.
2type vendor_init, domain, mlstrustedsubject;
3
4# Communication to the main init process
5allow vendor_init init:unix_stream_socket { read write };
6
7# Vendor init shouldn't communicate with any vendor process, nor most system processes.
8neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
9
10# Logging to kmsg
11allow vendor_init kmsg_device:chr_file { open write };
12
13# Mount on /dev/usb-ffs/adb.
14allow vendor_init device:dir mounton;
15
16# Create and remove symlinks in /.
17allow vendor_init rootfs:lnk_file { create unlink };
18
19# Create cgroups mount points in tmpfs and mount cgroups on them.
20allow vendor_init cgroup:dir create_dir_perms;
21
22# /config
23allow vendor_init configfs:dir mounton;
24allow vendor_init configfs:dir create_dir_perms;
25allow vendor_init configfs:{ file lnk_file } create_file_perms;
26
27# Create directories under /dev/cpuctl after chowning it to system.
28allow vendor_init self:global_capability_class_set dac_override;
29
30# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
31# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
32# system/core/init.rc requires at least cache_file and data_file_type.
33# init.<board>.rc files often include device-specific types, so
34# we just allow all file types except /system files here.
35allow vendor_init self:global_capability_class_set { chown fowner fsetid };
36
37# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
38allow vendor_init unencrypted_data_file:dir search;
39allow vendor_init unencrypted_data_file:file r_file_perms;
40
41allow vendor_init system_data_file:dir getattr;
42
43allow vendor_init {
44  file_type
45  -core_data_file_type
46  -exec_type
47  -system_file
48  -unlabeled
49  -vendor_file_type
50  -vold_metadata_file
51}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
52
53allow vendor_init {
54  file_type
55  -core_data_file_type
56  -exec_type
57  -runtime_event_log_tags_file
58  -system_file
59  -unlabeled
60  -vendor_file_type
61  -vold_metadata_file
62}:file { create getattr open read write setattr relabelfrom unlink };
63
64allow vendor_init {
65  file_type
66  -core_data_file_type
67  -exec_type
68  -system_file
69  -unlabeled
70  -vendor_file_type
71  -vold_metadata_file
72}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
73
74allow vendor_init {
75  file_type
76  -core_data_file_type
77  -exec_type
78  -system_file
79  -unlabeled
80  -vendor_file_type
81  -vold_metadata_file
82}:lnk_file { create getattr setattr relabelfrom unlink };
83
84allow vendor_init {
85  file_type
86  -core_data_file_type
87  -exec_type
88  -system_file
89  -vendor_file_type
90  -vold_metadata_file
91}:dir_file_class_set relabelto;
92
93allow vendor_init dev_type:dir create_dir_perms;
94allow vendor_init dev_type:lnk_file create;
95
96# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
97allow vendor_init debugfs_tracing:file w_file_perms;
98
99# chown/chmod on pseudo files.
100allow vendor_init {
101  fs_type
102  -contextmount_type
103  -sdcard_type
104  -rootfs
105  -proc_uid_time_in_state
106  -proc_uid_concurrent_active_time
107  -proc_uid_concurrent_policy_time
108}:file { open read setattr };
109
110allow vendor_init {
111  fs_type
112  -contextmount_type
113  -sdcard_type
114  -rootfs
115  -proc_uid_time_in_state
116  -proc_uid_concurrent_active_time
117  -proc_uid_concurrent_policy_time
118}:dir  { open read setattr search };
119
120# chown/chmod on devices, e.g. /dev/ttyHS0
121allow vendor_init {
122  dev_type
123  -kmem_device
124  -port_device
125  -lowpan_device
126  -hw_random_device
127}:chr_file setattr;
128
129allow vendor_init dev_type:blk_file getattr;
130
131# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
132r_dir_file(vendor_init, proc_net)
133allow vendor_init proc_net:file w_file_perms;
134allow vendor_init self:global_capability_class_set net_admin;
135
136# Write to /proc/sys/vm/page-cluster
137allow vendor_init proc_page_cluster:file w_file_perms;
138
139# Write to sysfs nodes.
140allow vendor_init sysfs_type:dir r_dir_perms;
141allow vendor_init sysfs_type:lnk_file read;
142allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
143
144# setfscreatecon() for labeling directories and socket files.
145allow vendor_init self:process { setfscreate };
146
147r_dir_file(vendor_init, vendor_file_type)
148
149# Vendor init can read properties
150allow vendor_init serialno_prop:file { getattr open read };
151
152# Vendor init can perform operations on trusted and security Extended Attributes
153allow vendor_init self:global_capability_class_set sys_admin;
154
155# Raw writes to misc block device
156allow vendor_init misc_block_device:blk_file w_file_perms;
157
158not_compatible_property(`
159    set_prop(vendor_init, {
160      property_type
161      -restorecon_prop
162      -netd_stable_secret_prop
163      -firstboot_prop
164      -pm_prop
165      -system_boot_reason_prop
166      -bootloader_boot_reason_prop
167      -last_boot_reason_prop
168    })
169')
170
171set_prop(vendor_init, bluetooth_a2dp_offload_prop)
172set_prop(vendor_init, debug_prop)
173set_prop(vendor_init, exported_audio_prop)
174set_prop(vendor_init, exported_bluetooth_prop)
175set_prop(vendor_init, exported_config_prop)
176set_prop(vendor_init, exported_dalvik_prop)
177set_prop(vendor_init, exported_default_prop)
178set_prop(vendor_init, exported_ffs_prop)
179set_prop(vendor_init, exported_overlay_prop)
180set_prop(vendor_init, exported_pm_prop)
181set_prop(vendor_init, exported_radio_prop)
182set_prop(vendor_init, exported_system_radio_prop)
183set_prop(vendor_init, exported_wifi_prop)
184set_prop(vendor_init, exported2_config_prop)
185set_prop(vendor_init, exported2_system_prop)
186set_prop(vendor_init, exported2_vold_prop)
187set_prop(vendor_init, exported3_default_prop)
188set_prop(vendor_init, exported3_radio_prop)
189set_prop(vendor_init, logd_prop)
190set_prop(vendor_init, log_tag_prop)
191set_prop(vendor_init, log_prop)
192set_prop(vendor_init, serialno_prop)
193set_prop(vendor_init, vendor_default_prop)
194set_prop(vendor_init, vendor_security_patch_level_prop)
195set_prop(vendor_init, wifi_log_prop)
196
197get_prop(vendor_init, exported2_radio_prop)
198get_prop(vendor_init, exported3_system_prop)
199