1# init is its own domain.
2type init, domain, mlstrustedsubject;
3tmpfs_domain(init)
4
5# The init domain is entered by execing init.
6type init_exec, exec_type, file_type;
7
8# /dev/__null__ node created by init.
9allow init tmpfs:chr_file create_file_perms;
10
11#
12# init direct restorecon calls.
13#
14# /dev/socket
15allow init { device socket_device }:dir relabelto;
16# /dev/__properties__
17allow init tmpfs:file relabelfrom;
18allow init properties_device:file relabelto;
19
20# setrlimit
21allow init self:capability sys_resource;
22
23# Remove /dev/.booting, created before initial policy load or restorecon /dev.
24allow init tmpfs:file unlink;
25
26# Access pty created for fsck.
27allow init devpts:chr_file { read write open };
28
29# Create /dev/fscklogs files.
30allow init fscklogs:file create_file_perms;
31
32# Access /dev/__null__ node created prior to initial policy load.
33allow init tmpfs:chr_file write;
34
35# Access /dev/console.
36allow init console_device:chr_file rw_file_perms;
37
38# Access /dev/tty0.
39allow init tty_device:chr_file rw_file_perms;
40
41# Call mount(2).
42allow init self:capability sys_admin;
43
44# Create and mount on directories in /.
45allow init rootfs:dir create_dir_perms;
46allow init rootfs:dir mounton;
47
48# Mount on /dev/usb-ffs/adb.
49allow init device:dir mounton;
50
51# Create and remove symlinks in /.
52allow init rootfs:lnk_file { create unlink };
53
54# Mount debugfs on /sys/kernel/debug.
55allow init sysfs:dir mounton;
56
57# Create cgroups mount points in tmpfs and mount cgroups on them.
58allow init tmpfs:dir create_dir_perms;
59allow init tmpfs:dir mounton;
60allow init cgroup:dir create_dir_perms;
61allow init cpuctl_device:dir { create mounton };
62
63# Use tmpfs as /data, used for booting when /data is encrypted
64allow init tmpfs:dir relabelfrom;
65
66# Create directories under /dev/cpuctl after chowning it to system.
67allow init self:capability dac_override;
68
69# Set system clock.
70allow init self:capability sys_time;
71
72allow init self:capability { sys_rawio mknod };
73
74# Mounting filesystems from block devices.
75allow init dev_type:blk_file r_file_perms;
76
77# Mounting filesystems.
78# Only allow relabelto for types used in context= mount options,
79# which should all be assigned the contextmount_type attribute.
80# This can be done in device-specific policy via type or typeattribute
81# declarations.
82allow init fs_type:filesystem ~relabelto;
83allow init unlabeled:filesystem ~relabelto;
84allow init contextmount_type:filesystem relabelto;
85
86# Allow read-only access to context= mounted filesystems.
87allow init contextmount_type:dir r_dir_perms;
88allow init contextmount_type:notdevfile_class_set r_file_perms;
89
90# restorecon /adb_keys or any other rootfs files to a more specific type.
91allow init rootfs:file relabelfrom;
92
93# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
94# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
95# system/core/init.rc requires at least cache_file and data_file_type.
96# init.<board>.rc files often include device-specific types, so
97# we just allow all file types except /system files here.
98allow init self:capability { chown fowner fsetid };
99allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
100allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
101allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
102allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
103allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
104allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
105allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
106allow init sysfs_type:{ dir file lnk_file } relabelto;
107allow init dev_type:dir create_dir_perms;
108allow init dev_type:lnk_file create;
109
110# chown/chmod on pseudo files.
111allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
112allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
113
114# chown/chmod on devices.
115allow init { dev_type -kmem_device }:chr_file { read open setattr };
116
117# Unlabeled file access for upgrades from 4.2.
118allow init unlabeled:dir { create_dir_perms relabelfrom };
119allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
120
121# Create /data/security from init.rc post-fs-data.
122allow init security_file:dir { create setattr };
123
124# Reload policy upon setprop selinux.reload_policy 1.
125# Note: this requires the following allow rule
126#   allow init kernel:security load_policy;
127# which can be configured on a device-by-device basis if needed.
128r_dir_file(init, security_file)
129
130# Any operation that can modify the kernel ring buffer, e.g. clear
131# or a read that consumes the messages that were read.
132allow init kernel:system syslog_mod;
133allow init self:capability2 syslog;
134
135# Set usermodehelpers and /proc security settings.
136allow init usermodehelper:file rw_file_perms;
137allow init proc_security:file rw_file_perms;
138
139# Write to /proc/sys/kernel/panic_on_oops.
140allow init proc:file w_file_perms;
141
142# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
143allow init proc_net:file w_file_perms;
144allow init self:capability net_admin;
145
146# Write to /proc/sysrq-trigger.
147allow init proc_sysrq:file w_file_perms;
148
149# Reboot.
150allow init self:capability sys_boot;
151
152# Write to sysfs nodes.
153allow init sysfs_type:dir r_dir_perms;
154allow init sysfs_type:file w_file_perms;
155
156# Transitions to seclabel processes in init.rc
157domain_trans(init, rootfs, adbd)
158domain_trans(init, rootfs, healthd)
159domain_trans(init, rootfs, slideshow)
160recovery_only(`
161  domain_trans(init, rootfs, recovery)
162')
163domain_trans(init, shell_exec, shell)
164domain_trans(init, init_exec, ueventd)
165domain_trans(init, init_exec, watchdogd)
166# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
167userdebug_or_eng(`
168  domain_auto_trans(init, logcat_exec, logd)
169')
170
171# Support "adb shell stop"
172allow init self:capability kill;
173allow init domain:process sigkill;
174
175# Init creates keystore's directory on boot, and walks through
176# the directory as part of a recursive restorecon.
177allow init keystore_data_file:dir { open create read getattr setattr search };
178allow init keystore_data_file:file { getattr };
179
180# Init creates vold's directory on boot, and walks through
181# the directory as part of a recursive restorecon.
182allow init vold_data_file:dir { open create read getattr setattr search };
183allow init vold_data_file:file { getattr };
184
185# Init creates /data/local/tmp at boot
186allow init shell_data_file:dir { open create read getattr setattr search };
187allow init shell_data_file:file { getattr };
188
189# Set UID and GID for services.
190allow init self:capability { setuid setgid };
191
192# For bootchart to read the /proc/$pid/cmdline file of each process,
193# we need to have following line to allow init to have access
194# to different domains.
195r_dir_file(init, domain)
196
197# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
198# setexec is for services with seclabel options.
199# setfscreate is for labeling directories and socket files.
200# setsockcreate is for labeling local/unix domain sockets.
201allow init self:process { setexec setfscreate setsockcreate };
202
203# Perform SELinux access checks on setting properties.
204selinux_check_access(init)
205
206# Ask the kernel for the new context on services to label their sockets.
207allow init kernel:security compute_create;
208
209# Create sockets for the services.
210allow init domain:unix_stream_socket { create bind };
211allow init domain:unix_dgram_socket { create bind };
212
213# Create /data/property and files within it.
214allow init property_data_file:dir create_dir_perms;
215allow init property_data_file:file create_file_perms;
216
217# Set any property.
218allow init property_type:property_service set;
219
220# Run "ifup lo" to bring up the localhost interface
221allow init self:udp_socket { create ioctl };
222allow init self:capability net_raw;
223
224# This line seems suspect, as it should not really need to
225# set scheduling parameters for a kernel domain task.
226allow init kernel:process setsched;
227
228# swapon() needs write access to swap device
229# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
230allow init swap_block_device:blk_file rw_file_perms;
231
232# Read from /dev/hw_random if present.
233# system/core/init/init.c - mix_hwrng_into_linux_rng_action
234allow init hw_random_device:chr_file r_file_perms;
235
236# Create and access /dev files without a specific type,
237# e.g. /dev/.coldboot_done, /dev/.booting
238# TODO:  Move these files into their own type unless they are
239# only ever accessed by init.
240allow init device:file create_file_perms;
241
242# Access character devices without a specific type,
243# e.g. /dev/keychord.
244# TODO: Move these devices into their own type unless they
245# are only ever accessed by init.
246allow init device:chr_file { rw_file_perms setattr };
247
248# keychord configuration
249allow init self:capability sys_tty_config;
250
251# Access device mapper for setting up dm-verity
252allow init dm_device:chr_file rw_file_perms;
253allow init dm_device:blk_file rw_file_perms;
254
255# Access metadata block device for storing dm-verity state
256allow init metadata_block_device:blk_file rw_file_perms;
257
258# Read /sys/fs/pstore/console-ramoops to detect restarts caused
259# by dm-verity detecting corrupted blocks
260allow init pstorefs:dir search;
261allow init pstorefs:file r_file_perms;
262
263# linux keyring configuration
264allow init init:key { write search setattr };
265
266# Allow init to create /data/unencrypted
267allow init unencrypted_data_file:dir create_dir_perms;
268
269unix_socket_connect(init, vold, vold)
270
271###
272### neverallow rules
273###
274
275# The init domain is only entered via setcon from the kernel domain,
276# never via an exec-based transition.
277neverallow domain init:process dyntransition;
278neverallow { domain -kernel} init:process transition;
279neverallow init { file_type fs_type -init_exec }:file entrypoint;
280
281# Never read/follow symlinks created by shell or untrusted apps.
282neverallow init shell_data_file:lnk_file read;
283neverallow init app_data_file:lnk_file read;
284
285# init should never execute a program without changing to another domain.
286neverallow init { file_type fs_type }:file execute_no_trans;
287