1typeattribute init coredomain; 2 3tmpfs_domain(init) 4 5# Transitions to seclabel processes in init.rc 6domain_trans(init, rootfs, healthd) 7domain_trans(init, rootfs, slideshow) 8domain_auto_trans(init, charger_exec, charger) 9domain_auto_trans(init, e2fs_exec, e2fs) 10domain_auto_trans(init, bpfloader_exec, bpfloader) 11 12recovery_only(` 13 # Files in recovery image are labeled as rootfs. 14 domain_trans(init, rootfs, adbd) 15 domain_trans(init, rootfs, charger) 16 domain_trans(init, rootfs, fastbootd) 17 domain_trans(init, rootfs, recovery) 18 domain_trans(init, rootfs, linkerconfig) 19 domain_trans(init, rootfs, snapuserd) 20') 21domain_trans(init, shell_exec, shell) 22domain_trans(init, init_exec, ueventd) 23domain_trans(init, init_exec, vendor_init) 24domain_trans(init, { rootfs toolbox_exec }, modprobe) 25userdebug_or_eng(` 26 # case where logpersistd is actually logcat -f in logd context (nee: logcatd) 27 domain_auto_trans(init, logcat_exec, logpersist) 28 29 # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng 30 allow init su:process transition; 31 dontaudit init su:process noatsecure; 32 allow init su:process { siginh rlimitinh }; 33') 34 35# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. 36# This is useful in case of remounting ext4 userdata into checkpointing mode, 37# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) 38# that userdata is mounted onto. 39allow init sysfs_dm:file read; 40 41# Allow init to modify the properties of loop devices. 42allow init sysfs_loop:dir r_dir_perms; 43allow init sysfs_loop:file rw_file_perms; 44 45# Allow init to examine the properties of block devices. 46allow init sysfs_block_type:file { getattr read }; 47# Allow init access /dev/block 48allow init bdev_type:dir r_dir_perms; 49allow init bdev_type:blk_file getattr; 50 51# Allow init to write to the drop_caches file. 52allow init proc_drop_caches:file rw_file_perms; 53 54# Allow the BoringSSL self test to request a reboot upon failure 55set_prop(init, powerctl_prop) 56 57# Only init is allowed to set userspace reboot related properties. 58set_prop(init, userspace_reboot_exported_prop) 59neverallow { domain -init } userspace_reboot_exported_prop:property_service set; 60 61# Second-stage init performs a test for whether the kernel has SELinux hooks 62# for the perf_event_open() syscall. This is done by testing for the syscall 63# outcomes corresponding to this policy. 64# TODO(b/137092007): this can be removed once the platform stops supporting 65# kernels that precede the perf_event_open hooks (Android common kernels 4.4 66# and 4.9). 67allow init self:perf_event { open cpu }; 68allow init self:global_capability2_class_set perfmon; 69neverallow init self:perf_event { kernel tracepoint read write }; 70dontaudit init self:perf_event { kernel tracepoint read write }; 71 72# Allow init to communicate with snapuserd to transition Virtual A/B devices 73# from the first-stage daemon to the second-stage. 74allow init snapuserd_socket:sock_file write; 75allow init snapuserd:unix_stream_socket connectto; 76# Allow for libsnapshot's use of flock() on /metadata/ota. 77allow init ota_metadata_file:dir lock; 78 79# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling 80# /dev/block. 81allow init vd_device:blk_file relabelto; 82 83# Only init is allowed to set the sysprop indicating whether perf_event_open() 84# SELinux hooks were detected. 85set_prop(init, init_perf_lsm_hooks_prop) 86neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; 87 88# Only init can write vts.native_server.on 89set_prop(init, vts_status_prop) 90neverallow { domain -init } vts_status_prop:property_service set; 91 92# Only init can write normal ro.boot. properties 93neverallow { domain -init } bootloader_prop:property_service set; 94 95# Only init can write hal.instrumentation.enable 96neverallow { domain -init } hal_instrumentation_prop:property_service set; 97 98# Only init can write ro.property_service.version 99neverallow { domain -init } property_service_version_prop:property_service set; 100 101# Only init can set keystore.boot_level 102neverallow { domain -init } keystore_listen_prop:property_service set; 103 104# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. 105allow init debugfs_bootreceiver_tracing:file w_file_perms; 106 107# chown/chmod on devices. 108allow init { 109 dev_type 110 -hw_random_device 111 -keychord_device 112 -kvm_device 113 -port_device 114}:chr_file setattr; 115