platform_system_sepolicy/private/init.te

typeattribute init coredomain;

tmpfs_domain(init)

# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)

recovery_only(`
  # Files in recovery image are labeled as rootfs.
  domain_trans(init, rootfs, adbd)
  domain_trans(init, rootfs, charger)
  domain_trans(init, rootfs, fastbootd)
  domain_trans(init, rootfs, recovery)
  domain_trans(init, rootfs, linkerconfig)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
userdebug_or_eng(`
  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
  domain_auto_trans(init, logcat_exec, logpersist)

  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
  allow init su:process transition;
  dontaudit init su:process noatsecure;
  allow init su:process { siginh rlimitinh };
')

# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
# that userdata is mounted onto.
allow init sysfs_dm:file read;

# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)

# Only init is allowed to set userspace reboot related properties.
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;

# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
# TODO(b/137092007): this can be removed once the platform stops supporting
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };

# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute init coredomain;`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`tmpfs_domain(init)`

			`# Transitions to seclabel processes in init.rc`
healthd: restore healthd sepolicy for charger mode Test: Boot charge-only and android on sailfish Bug: https://b/33672744 Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit 3b25e384108c20741313fb356ed25e0c515e5b6b) 2016-12-15 21:36:45 +01:00			`domain_trans(init, rootfs, healthd)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`domain_trans(init, rootfs, slideshow)`
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc 2018-09-08 00:05:33 +02:00			`domain_auto_trans(init, charger_exec, charger)`
allow init to run mke2fs tools to format partitions Test: let fs_mgr format a damaged /data partition Bug: 35219933 Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792 (cherry picked from commit 5f573ab2aa8f566c723f4ddd576f8365dcaec191) 2017-05-02 22:45:08 +02:00			`domain_auto_trans(init, e2fs_exec, e2fs)`
Allow executing bpfloader from init and modify rules init needs to execute bpfloader as a one-shot service. Add sepolicy for the same. Also update old rules allowing init to fork/exec bpfloader and remove rules allowing netd to do so. Bug: 112334572 Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37 Signed-off-by: Joel Fernandes <joelaf@google.com> 2018-11-29 22:07:40 +01:00			`domain_auto_trans(init, bpfloader_exec, bpfloader)`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			recovery_only(`
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc 2018-09-08 00:05:33 +02:00			`# Files in recovery image are labeled as rootfs.`
Moving adbd from rootdir to system/bin Bug: 63910933 Test: boot sailfish in normal mode, checks adbd is started Test: boot sailfish in recovery mode, checks adbd is started Test: boot bullhead in normal mode, checks adbd is started Test: boot bullhead in recovery mode, checks adbd is started Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79 Merged-In: I35ed78a15a34626fbd3c21d030e2bf51033f7b79 (cherry picked from commit e2423d149b6a5b9119965c097a2a75cb8d052763) 2017-07-31 12:38:28 +02:00			`domain_trans(init, rootfs, adbd)`
Move /sbin/charger to /system/bin/charger. With the CLs in the same topic, it's being built as a dynamically linked executable. And this applies to normal boot (including charger mode) and recovery mode both. /system/bin/charger under normal boot will be labeled as charger_exec, which has the attribute of system_file_type. The file in recovery image will still be labeled as rootfs. So we keep the domain_trans rule for rootfs file, but allowing for recovery mode only. Bug: 73660730 Test: Boot into charger mode on taimen. Check that charger UI works. Test: Boot into recovery mode. Check that charger process works. Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc 2018-09-08 00:05:33 +02:00			`domain_trans(init, rootfs, charger)`
Add sepolicy for fastbootd Also allow adb and fastboot to talk to recovery through recovery_socket. This enables changing between modes with usb commands. Test: No selinux denials Bug: 78793464 Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790 2018-05-29 19:54:16 +02:00			`domain_trans(init, rootfs, fastbootd)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`domain_trans(init, rootfs, recovery)`
Allow linkerconfig to be executed from recovery Add extra policy to enable linkerconfig to be executed from recovery. Bug: 139638519 Test: Tested from crosshatch recovery Change-Id: I40cdea4c45e8a649f933ba6ee73afaa7ab3f5348 2019-12-09 06:57:46 +01:00			`domain_trans(init, rootfs, linkerconfig)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`')`
			`domain_trans(init, shell_exec, shell)`
			`domain_trans(init, init_exec, ueventd)`
add vendor_init.te First pass at adding vendor_init.te Bug: 62875318 Test: boot sailfish with vendor_init Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68 2017-09-28 23:34:36 +02:00			`domain_trans(init, init_exec, vendor_init)`
Fix coredomain violation for modprobe modprobe domain was allowed to launch vendor toolbox even if its a coredomain. That violates the treble separation. Fix that by creating a separate 'vendor_modprobe' domain that init is allowed to transition to through vendor_toolbox. Bug: 37008075 Test: Build and boot sailfish Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2 Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit 9e366a0e4959682713037f24af708cf22b9b53c7) 2017-06-03 01:09:26 +02:00			`domain_trans(init, { rootfs toolbox_exec }, modprobe)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			userdebug_or_eng(`
Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng This is do aid developers pushing debug services to not need to modify the underlying SEPolicy avc: denied { transition } for comm="init" path="/system/bin/awk" dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { siginh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process Test: init can execute a system_file marked with seclabel u:r:su:s0 Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be 2018-08-03 19:49:20 +02:00			`# case where logpersistd is actually logcat -f in logd context (nee: logcatd)`
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c 2016-08-10 20:10:02 +02:00			`domain_auto_trans(init, logcat_exec, logpersist)`
Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng This is do aid developers pushing debug services to not need to modify the underlying SEPolicy avc: denied { transition } for comm="init" path="/system/bin/awk" dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { siginh } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0 tcontext=u:r:su:s0 tclass=process Test: init can execute a system_file marked with seclabel u:r:su:s0 Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be 2018-08-03 19:49:20 +02:00
			`# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng`
			`allow init su:process transition;`
			`dontaudit init su:process noatsecure;`
			`allow init su:process { siginh rlimitinh };`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`')`
Allow init to set powerctl property NIAP certification requires that all cryptographic functions undergo a self-test during startup to demonstrate correct operation. init now performs this check during startup. The self-test is forked from init. For the child process to be able to request a reboot it needs permissions to set the sys.powerctl property. Bug: 119826244 Test: Built for walleye. When the BoringSSL self test was forced to fail the device rebooted into the bootloader, as expected. Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6 2018-11-28 00:47:12 +01:00
Allow init to read /sys/block/dm-XX/dm/name In order to remount ext4 userdata into checkpointing mode, init will need to delete all devices from dm-stack it is mounted onto (e.g. dm-bow, dm-crypto). For that it needs to get name of a dm-device by reading /sys/block/dm-XX/dm/name file. Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1 Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1 Test: adb reboot userspace Test: adb shell dumpsys activity Bug: 135984674 Bug: 143970043 Change-Id: I919a4afdce8a4f88322f636fdf796a2f1a955d04 2019-12-09 22:21:55 +01:00			`# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.`
			`# This is useful in case of remounting ext4 userdata into checkpointing mode,`
			`# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)`
			`# that userdata is mounted onto.`
			`allow init sysfs_dm:file read;`

Allow init to set powerctl property NIAP certification requires that all cryptographic functions undergo a self-test during startup to demonstrate correct operation. init now performs this check during startup. The self-test is forked from init. For the child process to be able to request a reboot it needs permissions to set the sys.powerctl property. Bug: 119826244 Test: Built for walleye. When the BoringSSL self test was forced to fail the device rebooted into the bootloader, as expected. Change-Id: I4171b1dd0a5e393252ae5c002171ac51c9cbb3e6 2018-11-28 00:47:12 +01:00			`# Allow the BoringSSL self test to request a reboot upon failure`
			`set_prop(init, powerctl_prop)`
Add selinux rules for userspace reboot related properties By default sys.init.userspace_reboot.* properties are internal to /system partition. Only exception is sys.init.userspace_reboot.in_progress which signals to all native services (including vendor ones) that userspace reboot is happening, hence it should be a system_public_prop. Only init should be allowed to set userspace reboot related properties. Bug: 135984674 Test: builds Test: adb reboot userspace Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3 2019-11-14 13:59:15 +01:00
			`# Only init is allowed to set userspace reboot related properties.`
			`set_prop(init, userspace_reboot_exported_prop)`
			`neverallow { domain -init } userspace_reboot_exported_prop:property_service set;`
Add sysprop for init's perf_event_open LSM hook check Written exclusively by init. Made it readable by shell for CTS, and for easier platform debugging. Bug: 137092007 Change-Id: Ia5b056117502c272bc7169661069d0c8020695e2 2020-01-14 19:20:06 +01:00
			`# Second-stage init performs a test for whether the kernel has SELinux hooks`
			`# for the perf_event_open() syscall. This is done by testing for the syscall`
			`# outcomes corresponding to this policy.`
			`# TODO(b/137092007): this can be removed once the platform stops supporting`
			`# kernels that precede the perf_event_open hooks (Android common kernels 4.4`
			`# and 4.9).`
			`allow init self:perf_event { open cpu };`
			`neverallow init self:perf_event { kernel tracepoint read write };`
			`dontaudit init self:perf_event { kernel tracepoint read write };`

			`# Only init is allowed to set the sysprop indicating whether perf_event_open()`
			`# SELinux hooks were detected.`
			`set_prop(init, init_perf_lsm_hooks_prop)`
			`neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;`