1# Life begins with the kernel.
2type kernel, domain, mlstrustedsubject;
3
4allow kernel self:capability sys_nice;
5
6# Root fs.
7r_dir_file(kernel, rootfs)
8r_dir_file(kernel, proc)
9
10# Get SELinux enforcing status.
11allow kernel selinuxfs:dir r_dir_perms;
12allow kernel selinuxfs:file r_file_perms;
13
14# Get file contexts during first stage
15allow kernel file_contexts_file:file r_file_perms;
16
17# Allow init relabel itself.
18allow kernel rootfs:file relabelfrom;
19allow kernel init_exec:file relabelto;
20# TODO: investigate why we need this.
21allow kernel init:process share;
22
23# cgroup filesystem initialization prior to setting the cgroup root directory label.
24allow kernel unlabeled:dir search;
25
26# Mount usbfs.
27allow kernel usbfs:filesystem mount;
28allow kernel usbfs:dir search;
29
30# Initial setenforce by init prior to switching to init domain.
31# We use dontaudit instead of allow to prevent a kernel spawned userspace
32# process from turning off SELinux once enabled.
33dontaudit kernel self:security setenforce;
34
35# Write to /proc/1/oom_adj prior to switching to init domain.
36allow kernel self:capability sys_resource;
37
38# Init reboot before switching selinux domains under certain error
39# conditions. Allow it.
40# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
41# remount filesystems read-only. /data is not mounted at this point,
42# so we could ignore this. For now, we allow it.
43allow kernel self:capability sys_boot;
44allow kernel proc_sysrq:file w_file_perms;
45
46# Allow writing to /dev/kmsg which was created prior to loading policy.
47allow kernel tmpfs:chr_file write;
48
49# Set checkreqprot by init.rc prior to switching to init domain.
50allow kernel selinuxfs:file write;
51allow kernel self:security setcheckreqprot;
52
53# MTP sync (b/15835289)
54# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
55allow kernel priv_app:fd use;
56allow kernel sdcard_type:file { read write };
57
58# Allow the kernel to read OBB files from app directories. (b/17428116)
59# Kernel thread "loop0" reads a vold supplied file descriptor.
60# Fixes CTS tests:
61#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
62#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
63allow kernel vold:fd use;
64allow kernel app_data_file:file read;
65allow kernel asec_image_file:file read;
66
67# Allow reading loop device in update_engine_unittests. (b/28319454)
68userdebug_or_eng(`
69  allow kernel update_engine_data_file:file read;
70  allow kernel nativetest_data_file:file read;
71')
72
73# Access to /data/media.
74# This should be removed if sdcardfs is modified to alter the secontext for its
75# accesses to the underlying FS.
76allow kernel media_rw_data_file:dir create_dir_perms;
77allow kernel media_rw_data_file:file create_file_perms;
78
79# Access to /data/misc/vold/virtual_disk.
80allow kernel vold_data_file:file read;
81
82###
83### neverallow rules
84###
85
86# The initial task starts in the kernel domain (assigned via
87# initial_sid_contexts), but nothing ever transitions to it.
88neverallow * kernel:process { transition dyntransition };
89
90# The kernel domain is never entered via an exec, nor should it
91# ever execute a program outside the rootfs without changing to another domain.
92# If you encounter an execute_no_trans denial on the kernel domain, then
93# possible causes include:
94# - The program is a kernel usermodehelper.  In this case, define a domain
95#   for the program and domain_auto_trans() to it.
96# - You are running an exploit which switched to the init task credentials
97#   and is then trying to exec a shell or other program.  You lose!
98neverallow kernel *:file { entrypoint execute_no_trans };
99
100# the kernel should not be accessing files owned by other users.
101# Instead of adding dac_{read_search,override}, fix the unix permissions
102# on files being accessed.
103neverallow kernel self:capability { dac_override dac_read_search };
104