platform_system_sepolicy/private/vendor_init.te

# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit vendor_init sysfs:dir write;

# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;

# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)

# Let vendor_init react to AVF device config changes
get_prop(vendor_init, device_config_virtualization_framework_native_prop)

# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
  dev_type
  -keychord_device
  -kvm_device
  -port_device
  -lowpan_device
  -hw_random_device
}:chr_file setattr;
Copy a dontaudit from init to vendor_init Copy init's dontaudit for sysfs:dir write; to calm the below denials: avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1 avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1 Bug: 62875318 Test: use pixel + factory reset + vendor_init Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89 2017-11-15 23:57:14 +01:00			`# Creating files on sysfs is impossible so this isn't a threat`
			`# Sometimes we have to write to non-existent files to avoid conditional`
			`# init behavior. See b/35303861 for an example.`
			`dontaudit vendor_init sysfs:dir write;`
Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf 2019-08-02 00:57:47 +02:00
			`# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now`
			`allow vendor_init system_data_root_file:dir rw_dir_perms;`
Let adbd set service.adb.tcp.port. Commit 67c36884 changed the label of service.adb.tcp.port to allow vendor init to set it, but accidentally prevented adbd from setting it, which broke `adb tcpip`. Bug: http://b/171280882 Test: `adb tcpip` Change-Id: I154e2f43a4d3b72b27508ce02d66298673939738 2020-10-28 21:56:23 +01:00
			`# Let vendor_init set service.adb.tcp.port.`
			`set_prop(vendor_init, adbd_config_prop)`
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6 2021-03-29 19:19:12 +02:00
Allow vendor_init to read AVF device configs Bug: 192819132 Test: build Change-Id: Iefa4d2d2dc0a13a9a6c95779d6ebde5cb2834295 2021-10-08 14:13:46 +02:00			`# Let vendor_init react to AVF device config changes`
			`get_prop(vendor_init, device_config_virtualization_framework_native_prop)`

Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6 2021-03-29 19:19:12 +02:00			`# chown/chmod on devices, e.g. /dev/ttyHS0`
			`allow vendor_init {`
			`dev_type`
			`-keychord_device`
			`-kvm_device`
			`-port_device`
			`-lowpan_device`
			`-hw_random_device`
			`}:chr_file setattr;`