platform_system_sepolicy/private/init.te

typeattribute init coredomain;

tmpfs_domain(init)

# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
recovery_only(`
  domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, { rootfs toolbox_exec vendor_toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
  domain_auto_trans(init, logcat_exec, logpersist)
')

# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit init sysfs:dir write;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute init coredomain;`

Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`tmpfs_domain(init)`

			`# Transitions to seclabel processes in init.rc`
			`domain_trans(init, rootfs, adbd)`
healthd: create SEPolicy for 'charger' and reduce healthd's scope healthd is being split into 'charger' and 'healthd' processes, that will never run together. 'charger' is to be run only in charge-only and recovery, while healthd runs with Android. While they both share much of battery monitoring code, they both now have reduced scope. E.g. 'charger', doesn't need to use binder anymore and healthd doesn't need to do charging ui animation. So, amend the SEPolicy for healthd to reduce it's scope and add a new one for charger. Test: Tested all modes {recovery, charger-only, android} with new policy Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8 Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit c73d0022ade4855ab72849e1fe97856c737fdcef) 2016-11-01 21:49:10 +01:00			`domain_trans(init, rootfs, charger)`
healthd: restore healthd sepolicy for charger mode Test: Boot charge-only and android on sailfish Bug: https://b/33672744 Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit 3b25e384108c20741313fb356ed25e0c515e5b6b) 2016-12-15 21:36:45 +01:00			`domain_trans(init, rootfs, healthd)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`domain_trans(init, rootfs, slideshow)`
			recovery_only(`
			`domain_trans(init, rootfs, recovery)`
			`')`
			`domain_trans(init, shell_exec, shell)`
			`domain_trans(init, init_exec, ueventd)`
			`domain_trans(init, init_exec, watchdogd)`
Allow init to run vendor toybox for modprobe vendor implementations need to be able to run modprobe as part of init.rc scripts. They cannot do so because of the strict neverallow currently in place that disallows all coredomains (including init) to execute vendor toybox. Fix this by adding init to the exception list for the neverallow so vendors can then run modprobe from .rc scripts and also add the rule to allow init to transition to modprobe domain using vendor_toolbox. Bug: b/38212864 Test: Boot sailfish Change-Id: Ib839246954e9002859f3ba986094f206bfead137 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-05-22 21:09:14 +02:00			`domain_trans(init, { rootfs toolbox_exec vendor_toolbox_exec }, modprobe)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`# case where logpersistd is actually logcat -f in logd context (nee: logcatd)`
			userdebug_or_eng(`
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c 2016-08-10 20:10:02 +02:00			`domain_auto_trans(init, logcat_exec, logpersist)`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`')`
Remove selinux denial Don't audit directory writes to sysfs since they cannot succees and therefore cannot be a security issue Bug: 35303861 Test: Make sure denial is no longer shown Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464 2017-02-13 17:48:51 +01:00
			`# Creating files on sysfs is impossible so this isn't a threat`
			`# Sometimes we have to write to non-existent files to avoid conditional`
			`# init behavior. See b/35303861 for an example.`
			`dontaudit init sysfs:dir write;`