2012-01-04 18:33:27 +01:00
|
|
|
# init switches to init domain (via init.rc).
|
|
|
|
type init, domain;
|
|
|
|
# init is unconfined.
|
|
|
|
unconfined_domain(init)
|
|
|
|
tmpfs_domain(init)
|
2013-07-10 23:46:05 +02:00
|
|
|
|
2014-02-10 22:31:04 +01:00
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
|
2014-06-19 15:07:17 +02:00
|
|
|
# Run helpers from / or /system without changing domain.
|
|
|
|
# We do not include exec_type here since generally those
|
|
|
|
# should always involve a domain transition.
|
|
|
|
allow init rootfs:file execute_no_trans;
|
|
|
|
allow init system_file:file execute_no_trans;
|
|
|
|
|
2014-05-29 20:35:55 +02:00
|
|
|
# Running e2fsck or mkswap via fs_mgr.
|
2014-02-11 20:40:14 +01:00
|
|
|
allow init dev_type:blk_file rw_file_perms;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
|
|
|
# Mounting filesystems.
|
2014-06-16 19:05:38 +02:00
|
|
|
# Only allow relabelto for types used in context= mount options,
|
|
|
|
# which should all be assigned the contextmount_type attribute.
|
|
|
|
# This can be done in device-specific policy via type or typeattribute
|
|
|
|
# declarations.
|
|
|
|
allow init fs_type:filesystem ~relabelto;
|
|
|
|
allow init unlabeled:filesystem ~relabelto;
|
|
|
|
allow init contextmount_type:filesystem relabelto;
|
|
|
|
|
|
|
|
# Allow read-only access to context= mounted filesystems.
|
|
|
|
allow init contextmount_type:dir r_dir_perms;
|
|
|
|
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
2014-06-23 15:17:51 +02:00
|
|
|
# restorecon /adb_keys or any other rootfs files to a more specific type.
|
|
|
|
allow init rootfs:file relabelfrom;
|
|
|
|
|
2014-05-29 20:35:55 +02:00
|
|
|
# restorecon and restorecon_recursive calls from init.rc files.
|
|
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
|
|
# init.<board>.rc files often include device-specific types, so
|
|
|
|
# we just allow all file types except /system files here.
|
2014-05-20 20:09:16 +02:00
|
|
|
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
2014-05-30 15:53:00 +02:00
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
|
2014-05-30 16:25:00 +02:00
|
|
|
# Create /data/security from init.rc post-fs-data.
|
|
|
|
allow init security_file:dir { create setattr };
|
|
|
|
|
|
|
|
# setprop selinux.reload_policy 1 from init.rc post-fs-data.
|
|
|
|
allow init security_prop:property_service set;
|
|
|
|
|
2014-05-29 20:35:55 +02:00
|
|
|
# Reload policy upon setprop selinux.reload_policy 1.
|
2014-05-30 16:25:00 +02:00
|
|
|
r_dir_file(init, security_file)
|
2013-12-06 14:05:53 +01:00
|
|
|
allow init kernel:security load_policy;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
|
|
# or a read that consumes the messages that were read.
|
2014-05-28 22:48:52 +02:00
|
|
|
allow init kernel:system syslog_mod;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
|
|
|
# Set usermodehelpers and /proc security settings.
|
2013-12-06 15:31:40 +01:00
|
|
|
allow init usermodehelper:file rw_file_perms;
|
|
|
|
allow init proc_security:file rw_file_perms;
|
2014-01-25 05:43:07 +01:00
|
|
|
|
|
|
|
# Transitions to seclabel processes in init.rc
|
2014-07-15 08:31:01 +02:00
|
|
|
domain_trans(init, rootfs, adbd)
|
|
|
|
domain_trans(init, rootfs, healthd)
|
|
|
|
recovery_only(`
|
|
|
|
domain_trans(init, rootfs, recovery)
|
|
|
|
')
|
|
|
|
domain_trans(init, shell_exec, shell)
|
|
|
|
domain_trans(init, rootfs, ueventd)
|
|
|
|
domain_trans(init, rootfs, watchdogd)
|
|
|
|
|
|
|
|
# Certain domains need LD_PRELOAD passed from init.
|
|
|
|
# https://android-review.googlesource.com/94851
|
2014-07-17 03:42:36 +02:00
|
|
|
# For now, allow it to most domains.
|
2014-07-15 08:31:01 +02:00
|
|
|
# TODO: scope this down.
|
2014-07-17 03:42:36 +02:00
|
|
|
allow init { domain -lmkd }:process noatsecure;
|
2014-07-15 08:31:01 +02:00
|
|
|
|
|
|
|
# Support "adb shell stop"
|
|
|
|
allow init domain:process sigkill;
|
2014-05-09 08:28:52 +02:00
|
|
|
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
|
|
# the directory as part of a recursive restorecon.
|
|
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
|
|
allow init keystore_data_file:file { getattr };
|
2014-05-23 17:26:19 +02:00
|
|
|
|
2014-06-07 19:00:59 +02:00
|
|
|
# Init creates /data/local/tmp at boot
|
|
|
|
allow init shell_data_file:dir { open create read getattr setattr search };
|
|
|
|
allow init shell_data_file:file { getattr };
|
|
|
|
|
2014-05-23 17:26:19 +02:00
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
|
|
# setexec is for services with seclabel options.
|
|
|
|
# setfscreate is for labeling directories and socket files.
|
|
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
2014-05-29 15:22:16 +02:00
|
|
|
|
|
|
|
# Create /data/property and files within it.
|
|
|
|
allow init property_data_file:dir create_dir_perms;
|
|
|
|
allow init property_data_file:file create_file_perms;
|
2014-06-18 16:09:35 +02:00
|
|
|
|
2014-06-19 16:27:02 +02:00
|
|
|
# Set any property.
|
|
|
|
allow init property_type:property_service set;
|
|
|
|
|
2014-06-21 06:15:56 +02:00
|
|
|
# Run "ifup lo" to bring up the localhost interface
|
|
|
|
allow init self:udp_socket { create ioctl };
|
|
|
|
|
2014-07-15 08:31:01 +02:00
|
|
|
# This line seems suspect, as it should not really need to
|
|
|
|
# set scheduling parameters for a kernel domain task.
|
|
|
|
allow init kernel:process setsched;
|
|
|
|
|
2014-06-18 16:09:35 +02:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# The init domain is only entered via setcon from the kernel domain,
|
|
|
|
# never via an exec-based transition.
|
|
|
|
neverallow { domain -kernel} init:process dyntransition;
|
|
|
|
neverallow domain init:process transition;
|
|
|
|
neverallow init { file_type fs_type }:file entrypoint;
|