Merge "Minimize microdroid public policy" into main

This commit is contained in:
Treehugger Robot 2024-03-28 07:47:50 +00:00 committed by Gerrit Code Review
commit 7b6ce3bf13
21 changed files with 332 additions and 274 deletions

View file

@ -440,3 +440,7 @@ allow init prng_seeder:unix_stream_socket { create bind listen };
r_dir_file(init, vendor_kernel_modules) r_dir_file(init, vendor_kernel_modules)
allow init self:capability sys_module; allow init self:capability sys_module;
allow init vendor_kernel_modules:system module_load; allow init vendor_kernel_modules:system module_load;
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
allow init kmsg_debug_device:chr_file { open write relabelto };

View file

@ -18,6 +18,11 @@ dontaudit domain {
ctl_fuse_prop ctl_fuse_prop
}:property_service set; }:property_service set;
allow property_type tmpfs:filesystem associate;
dontaudit { domain -init } default_prop:file no_rw_file_perms;
dontaudit { domain -init } default_prop:property_service set;
### ###
### Neverallow rules ### Neverallow rules
### ###
@ -67,3 +72,7 @@ neverallow {
domain domain
-init -init
} non_existing_prop:property_service set; } non_existing_prop:property_service set;
# Properties should be explicitly labeled in property_contexts
neverallow { domain -init } default_prop:file no_rw_file_perms;
neverallow { domain -init } default_prop:property_service set;

View file

@ -1,5 +1,76 @@
typeattribute shell coredomain; typeattribute shell coredomain;
# Root fs.
allow shell rootfs:dir r_dir_perms;
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
proc_filesystems
proc_interrupts
proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
proc_slabinfo
proc_stat
proc_timer
proc_uptime
proc_version
proc_vmstat
proc_zoneinfo
}:file r_file_perms;
# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
# Perform SELinux access checks, needed for CTS # Perform SELinux access checks, needed for CTS
selinux_check_access(shell) selinux_check_access(shell)
selinux_check_context(shell) selinux_check_context(shell)

View file

@ -1,3 +1,22 @@
typeattribute statsd coredomain; typeattribute statsd coredomain;
init_daemon_domain(statsd) init_daemon_domain(statsd)
# Allow statsd to scan through /proc/pid for all processes.
r_dir_file(statsd, domain)
# Allow executing files on system, such as running a shell or running:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow statsd devpts:chr_file { getattr ioctl read write };
allow statsd shell_exec:file rx_file_perms;
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };
unix_socket_send(statsd, statsdw, statsd)

View file

@ -2,3 +2,34 @@ typeattribute su coredomain;
# su is also permissive to permit setenforce. # su is also permissive to permit setenforce.
permissive su; permissive su;
# Add su to various domains
dontaudit su self:capability_class_set *;
dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
dontaudit su domain:{ fifo_file file } *;
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
dontaudit su fs_type:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit su netif_type:netif *;
dontaudit su port_type:socket_class_set *;
dontaudit su port_type:{ tcp_socket dccp_socket } *;
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
dontaudit su self:perf_event *;

View file

@ -0,0 +1,144 @@
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open getattr write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
allow vendor_init cgroup_v2:dir create_dir_perms;
allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
-apex_info_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-apex_mnt_dir
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
-exec_type
-system_file_type
-vendor_file_type
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
allow vendor_init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
allow vendor_init tracefs_type:file { open read setattr map };
allow vendor_init {
fs_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net_type)
allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
# Allow vendor_init to (re)set nice
allow vendor_init self:capability sys_nice;
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
-hw_random_device
}:chr_file setattr;

View file

@ -1,2 +1,6 @@
type adbd, domain; type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type; type adbd_exec, exec_type, file_type, system_file_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -1,2 +1,6 @@
type apexd, domain, coredomain; type apexd, domain, coredomain;
type apexd_exec, file_type, exec_type, system_file_type; type apexd_exec, file_type, exec_type, system_file_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -1,2 +1,6 @@
type crash_dump, domain; type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type; type crash_dump_exec, system_file_type, exec_type, file_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -27,3 +27,7 @@ type tty_device, dev_type;
type vd_device, dev_type; type vd_device, dev_type;
type vsock_device, dev_type; type vsock_device, dev_type;
type zero_device, dev_type; type zero_device, dev_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -191,3 +191,7 @@ type tmpfs, fs_type;
type usbfs, fs_type; type usbfs, fs_type;
type usermodehelper, fs_type, proc_type; type usermodehelper, fs_type, proc_type;
type vfat, fs_type, sdcard_type; type vfat, fs_type, sdcard_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -3,6 +3,6 @@ type init, domain;
type init_exec, system_file_type, exec_type, file_type; type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type; type init_tmpfs, file_type;
allow init tmpfs:chr_file relabelfrom; # public is for vendor-facing type and attribute definitions.
allow init kmsg_device:chr_file { getattr write relabelto }; # DO NOT ADD allow, neverallow, or dontaudit statements here.
allow init kmsg_debug_device:chr_file { open write relabelto }; # Instead, add such policy rules to private/*.te.

View file

@ -1,2 +1,6 @@
# Life begins with the kernel. # Life begins with the kernel.
type kernel, domain; type kernel, domain;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -50,11 +50,6 @@ type usb_control_prop, property_type;
type vendor_default_prop, property_type; type vendor_default_prop, property_type;
type powerctl_prop, property_type; type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate; # public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Properties should be explicitly labeled in property_contexts # Instead, add such policy rules to private/*.te.
neverallow { domain -init } default_prop:file no_rw_file_perms;
neverallow { domain -init } default_prop:property_service set;
dontaudit { domain -init } default_prop:file no_rw_file_perms;
dontaudit { domain -init } default_prop:property_service set;

View file

@ -2,73 +2,6 @@
type shell, domain; type shell, domain;
type shell_exec, system_file_type, exec_type, file_type; type shell_exec, system_file_type, exec_type, file_type;
# Root fs. # public is for vendor-facing type and attribute definitions.
allow shell rootfs:dir r_dir_perms; # DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
proc_filesystems
proc_interrupts
proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
proc_slabinfo
proc_stat
proc_timer
proc_uptime
proc_version
proc_vmstat
proc_zoneinfo
}:file r_file_perms;
# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;

View file

@ -1,22 +1,6 @@
type statsd, domain; type statsd, domain;
type statsd_exec, system_file_type, exec_type, file_type; type statsd_exec, system_file_type, exec_type, file_type;
# Allow statsd to scan through /proc/pid for all processes. # public is for vendor-facing type and attribute definitions.
r_dir_file(statsd, domain) # DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.
# Allow executing files on system, such as running a shell or running:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow statsd devpts:chr_file { getattr ioctl read write };
allow statsd shell_exec:file rx_file_perms;
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };
unix_socket_send(statsd, statsdw, statsd)

View file

@ -5,33 +5,6 @@
# that adb root works on debuggable VMs even for user builds. # that adb root works on debuggable VMs even for user builds.
type su, domain; type su, domain;
# Add su to various domains # public is for vendor-facing type and attribute definitions.
dontaudit su self:capability_class_set *; # DO NOT ADD allow, neverallow, or dontaudit statements here.
dontaudit su self:capability2 *; # Instead, add such policy rules to private/*.te.
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
dontaudit su domain:{ fifo_file file } *;
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
dontaudit su fs_type:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit su netif_type:netif *;
dontaudit su port_type:socket_class_set *;
dontaudit su port_type:{ tcp_socket dccp_socket } *;
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
dontaudit su self:perf_event *;

View file

@ -1,2 +1,6 @@
type toolbox, domain; type toolbox, domain;
type toolbox_exec, file_type, exec_type, system_file_type; type toolbox_exec, file_type, exec_type, system_file_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -1,3 +1,7 @@
# Miscellaneous types # Miscellaneous types
type system_linker; type system_linker;
type vm_payload_key; type vm_payload_key;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -2,3 +2,7 @@
# it lives in the rootfs and has no unique file type. # it lives in the rootfs and has no unique file type.
type ueventd, domain; type ueventd, domain;
type ueventd_tmpfs, file_type; type ueventd_tmpfs, file_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.

View file

@ -1,147 +1,6 @@
# vendor_init is its own domain. # vendor_init is its own domain.
type vendor_init, domain; type vendor_init, domain;
# Communication to the main init process # public is for vendor-facing type and attribute definitions.
allow vendor_init init:unix_stream_socket { read write }; # DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to private/*.te.
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open getattr write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
allow vendor_init cgroup_v2:dir create_dir_perms;
allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
-apex_info_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-apex_mnt_dir
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
-exec_type
-system_file_type
-vendor_file_type
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
allow vendor_init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
allow vendor_init tracefs_type:file { open read setattr map };
allow vendor_init {
fs_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net_type)
allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
# Allow vendor_init to (re)set nice
allow vendor_init self:capability sys_nice;
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
-hw_random_device
}:chr_file setattr;