1# init switches to init domain (via init.rc).
2type init, domain;
3# init is unconfined.
4unconfined_domain(init)
5tmpfs_domain(init)
6
7allow init self:capability { sys_rawio mknod };
8
9# Run helpers from / or /system without changing domain.
10# We do not include exec_type here since generally those
11# should always involve a domain transition.
12allow init rootfs:file execute_no_trans;
13allow init system_file:file execute_no_trans;
14
15# Running e2fsck or mkswap via fs_mgr.
16allow init dev_type:blk_file rw_file_perms;
17
18# Mounting filesystems.
19# Only allow relabelto for types used in context= mount options,
20# which should all be assigned the contextmount_type attribute.
21# This can be done in device-specific policy via type or typeattribute
22# declarations.
23allow init fs_type:filesystem ~relabelto;
24allow init unlabeled:filesystem ~relabelto;
25allow init contextmount_type:filesystem relabelto;
26
27# Allow read-only access to context= mounted filesystems.
28allow init contextmount_type:dir r_dir_perms;
29allow init contextmount_type:notdevfile_class_set r_file_perms;
30
31# restorecon /adb_keys or any other rootfs files to a more specific type.
32allow init rootfs:file relabelfrom;
33
34# restorecon and restorecon_recursive calls from init.rc files.
35# system/core/init.rc requires at least cache_file and data_file_type.
36# init.<board>.rc files often include device-specific types, so
37# we just allow all file types except /system files here.
38allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
39allow init sysfs_type:{ dir file lnk_file } relabelto;
40
41# Unlabeled file access for upgrades from 4.2.
42allow init unlabeled:dir { create_dir_perms relabelfrom };
43allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
44
45# Create /data/security from init.rc post-fs-data.
46allow init security_file:dir { create setattr };
47
48# setprop selinux.reload_policy 1 from init.rc post-fs-data.
49allow init security_prop:property_service set;
50
51# Reload policy upon setprop selinux.reload_policy 1.
52r_dir_file(init, security_file)
53allow init kernel:security load_policy;
54
55# Any operation that can modify the kernel ring buffer, e.g. clear
56# or a read that consumes the messages that were read.
57allow init kernel:system syslog_mod;
58
59# Set usermodehelpers and /proc security settings.
60allow init usermodehelper:file rw_file_perms;
61allow init proc_security:file rw_file_perms;
62
63# Transitions to seclabel processes in init.rc
64domain_trans(init, rootfs, adbd)
65domain_trans(init, rootfs, healthd)
66recovery_only(`
67  domain_trans(init, rootfs, recovery)
68')
69domain_trans(init, shell_exec, shell)
70domain_trans(init, rootfs, ueventd)
71domain_trans(init, rootfs, watchdogd)
72
73# Certain domains need LD_PRELOAD passed from init.
74# https://android-review.googlesource.com/94851
75# For now, allow it to most domains.
76# TODO: scope this down.
77allow init { domain -lmkd }:process noatsecure;
78
79# Support "adb shell stop"
80allow init domain:process sigkill;
81
82# Init creates keystore's directory on boot, and walks through
83# the directory as part of a recursive restorecon.
84allow init keystore_data_file:dir { open create read getattr setattr search };
85allow init keystore_data_file:file { getattr };
86
87# Init creates /data/local/tmp at boot
88allow init shell_data_file:dir { open create read getattr setattr search };
89allow init shell_data_file:file { getattr };
90
91# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
92# setexec is for services with seclabel options.
93# setfscreate is for labeling directories and socket files.
94# setsockcreate is for labeling local/unix domain sockets.
95allow init self:process { setexec setfscreate setsockcreate };
96
97# Create /data/property and files within it.
98allow init property_data_file:dir create_dir_perms;
99allow init property_data_file:file create_file_perms;
100
101# Set any property.
102allow init property_type:property_service set;
103
104# Run "ifup lo" to bring up the localhost interface
105allow init self:udp_socket { create ioctl };
106
107# This line seems suspect, as it should not really need to
108# set scheduling parameters for a kernel domain task.
109allow init kernel:process setsched;
110
111###
112### neverallow rules
113###
114
115# The init domain is only entered via setcon from the kernel domain,
116# never via an exec-based transition.
117neverallow { domain -kernel} init:process dyntransition;
118neverallow domain init:process transition;
119neverallow init { file_type fs_type }:file entrypoint;
120