typeattribute init coredomain; tmpfs_domain(init) # Transitions to seclabel processes in init.rc domain_trans(init, rootfs, slideshow) domain_auto_trans(init, charger_exec, charger) domain_auto_trans(init, e2fs_exec, e2fs) domain_auto_trans(init, bpfloader_exec, bpfloader) recovery_only(` # Files in recovery image are labeled as rootfs. domain_trans(init, rootfs, adbd) domain_trans(init, rootfs, hal_bootctl_server) domain_trans(init, rootfs, charger) domain_trans(init, rootfs, fastbootd) domain_trans(init, rootfs, hal_fastboot_server) domain_trans(init, rootfs, hal_health_server) domain_trans(init, rootfs, recovery) domain_trans(init, rootfs, linkerconfig) domain_trans(init, rootfs, servicemanager) domain_trans(init, rootfs, snapuserd) ') domain_trans(init, shell_exec, shell) domain_trans(init, init_exec, ueventd) domain_trans(init, init_exec, vendor_init) domain_trans(init, { rootfs toolbox_exec }, modprobe) userdebug_or_eng(` # case where logpersistd is actually logcat -f in logd context (nee: logcatd) domain_auto_trans(init, logcat_exec, logpersist) # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng allow init su:process transition; dontaudit init su:process noatsecure; allow init su:process { siginh rlimitinh }; ') # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. # This is useful in case of remounting ext4 userdata into checkpointing mode, # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) # that userdata is mounted onto. allow init sysfs_dm:file read; # Allow init to modify the properties of loop devices. allow init sysfs_loop:dir r_dir_perms; allow init sysfs_loop:file rw_file_perms; # Allow init to examine the properties of block devices. allow init sysfs_type:file { getattr read }; # Allow init get the attributes of block devices in /dev/block. allow init dev_type:dir r_dir_perms; allow init dev_type:blk_file getattr; # Allow init to write to the drop_caches file. allow init proc_drop_caches:file rw_file_perms; # Allow the BoringSSL self test to request a reboot upon failure set_prop(init, powerctl_prop) # Only init is allowed to set userspace reboot related properties. set_prop(init, userspace_reboot_exported_prop) neverallow { domain -init } userspace_reboot_exported_prop:property_service set; # Second-stage init performs a test for whether the kernel has SELinux hooks # for the perf_event_open() syscall. This is done by testing for the syscall # outcomes corresponding to this policy. # TODO(b/137092007): this can be removed once the platform stops supporting # kernels that precede the perf_event_open hooks (Android common kernels 4.4 # and 4.9). allow init self:perf_event { open cpu }; allow init self:global_capability2_class_set perfmon; neverallow init self:perf_event { kernel tracepoint read write }; dontaudit init self:perf_event { kernel tracepoint read write }; # Allow init to communicate with snapuserd to transition Virtual A/B devices # from the first-stage daemon to the second-stage. allow init snapuserd_socket:sock_file write; allow init snapuserd:unix_stream_socket connectto; # Allow for libsnapshot's use of flock() on /metadata/ota. allow init ota_metadata_file:dir lock; # Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling # /dev/block. allow init vd_device:blk_file relabelto; # Only init is allowed to set the sysprop indicating whether perf_event_open() # SELinux hooks were detected. set_prop(init, init_perf_lsm_hooks_prop) neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; # Only init can write vts.native_server.on set_prop(init, vts_status_prop) neverallow { domain -init } vts_status_prop:property_service set; # Only init can write normal ro.boot. properties neverallow { domain -init } bootloader_prop:property_service set; # Only init can write hal.instrumentation.enable neverallow { domain -init } hal_instrumentation_prop:property_service set; # Only init can write ro.property_service.version neverallow { domain -init } property_service_version_prop:property_service set; # Only init can set keystore.boot_level neverallow { domain -init } keystore_listen_prop:property_service set; # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. allow init debugfs_bootreceiver_tracing:file w_file_perms; # PRNG seeder daemon socket is created and listened on by init before forking. allow init prng_seeder:unix_stream_socket { create bind listen }; # Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will # attempt to write a non exisiting 'synthetic_events' file, when setting # up synthetic events. This is a no-op in tracefs. dontaudit init debugfs_tracing_debug:dir { write add_name }; # chown/chmod on devices. allow init { dev_type -hw_random_device -keychord_device -vm_manager_device_type -port_device }:chr_file setattr;