e6da3b80d1
Manual testing protocol: * Verify prng_seeder daemon is running and has the correct label (via ps -Z) * Verify prng_seeder socket present and has correct label (via ls -Z) * Verify no SELinux denials * strace a libcrypto process and verify it reads seeding data from prng_seeder (e.g. strace bssl rand -hex 1024) * strace seeder daemon to observe incoming connections (e.g. strace -f -p `pgrep prng_seeder`) * Kill daemon, observe that init restarts it * strace again and observe clients now seed from new instance Bug: 243933553 Test: Manual - see above Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
127 lines
4.9 KiB
Text
127 lines
4.9 KiB
Text
typeattribute init coredomain;
|
|
|
|
tmpfs_domain(init)
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
domain_trans(init, rootfs, slideshow)
|
|
domain_auto_trans(init, charger_exec, charger)
|
|
domain_auto_trans(init, e2fs_exec, e2fs)
|
|
domain_auto_trans(init, bpfloader_exec, bpfloader)
|
|
|
|
recovery_only(`
|
|
# Files in recovery image are labeled as rootfs.
|
|
domain_trans(init, rootfs, adbd)
|
|
domain_trans(init, rootfs, hal_bootctl_server)
|
|
domain_trans(init, rootfs, charger)
|
|
domain_trans(init, rootfs, fastbootd)
|
|
domain_trans(init, rootfs, hal_health_server)
|
|
domain_trans(init, rootfs, recovery)
|
|
domain_trans(init, rootfs, linkerconfig)
|
|
domain_trans(init, rootfs, servicemanager)
|
|
domain_trans(init, rootfs, snapuserd)
|
|
')
|
|
domain_trans(init, shell_exec, shell)
|
|
domain_trans(init, init_exec, ueventd)
|
|
domain_trans(init, init_exec, vendor_init)
|
|
domain_trans(init, { rootfs toolbox_exec }, modprobe)
|
|
userdebug_or_eng(`
|
|
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
|
|
domain_auto_trans(init, logcat_exec, logpersist)
|
|
|
|
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
|
|
allow init su:process transition;
|
|
dontaudit init su:process noatsecure;
|
|
allow init su:process { siginh rlimitinh };
|
|
')
|
|
|
|
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
|
|
# This is useful in case of remounting ext4 userdata into checkpointing mode,
|
|
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
|
|
# that userdata is mounted onto.
|
|
allow init sysfs_dm:file read;
|
|
|
|
# Allow init to modify the properties of loop devices.
|
|
allow init sysfs_loop:dir r_dir_perms;
|
|
allow init sysfs_loop:file rw_file_perms;
|
|
|
|
# Allow init to examine the properties of block devices.
|
|
allow init sysfs_type:file { getattr read };
|
|
# Allow init get the attributes of block devices in /dev/block.
|
|
allow init dev_type:dir r_dir_perms;
|
|
allow init dev_type:blk_file getattr;
|
|
|
|
# Allow init to write to the drop_caches file.
|
|
allow init proc_drop_caches:file rw_file_perms;
|
|
|
|
# Allow the BoringSSL self test to request a reboot upon failure
|
|
set_prop(init, powerctl_prop)
|
|
|
|
# Only init is allowed to set userspace reboot related properties.
|
|
set_prop(init, userspace_reboot_exported_prop)
|
|
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
|
|
|
|
# Second-stage init performs a test for whether the kernel has SELinux hooks
|
|
# for the perf_event_open() syscall. This is done by testing for the syscall
|
|
# outcomes corresponding to this policy.
|
|
# TODO(b/137092007): this can be removed once the platform stops supporting
|
|
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
|
|
# and 4.9).
|
|
allow init self:perf_event { open cpu };
|
|
allow init self:global_capability2_class_set perfmon;
|
|
neverallow init self:perf_event { kernel tracepoint read write };
|
|
dontaudit init self:perf_event { kernel tracepoint read write };
|
|
|
|
# Allow init to communicate with snapuserd to transition Virtual A/B devices
|
|
# from the first-stage daemon to the second-stage.
|
|
allow init snapuserd_socket:sock_file write;
|
|
allow init snapuserd:unix_stream_socket connectto;
|
|
# Allow for libsnapshot's use of flock() on /metadata/ota.
|
|
allow init ota_metadata_file:dir lock;
|
|
|
|
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
|
|
# /dev/block.
|
|
allow init vd_device:blk_file relabelto;
|
|
|
|
# Only init is allowed to set the sysprop indicating whether perf_event_open()
|
|
# SELinux hooks were detected.
|
|
set_prop(init, init_perf_lsm_hooks_prop)
|
|
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
|
|
|
|
# Only init can write vts.native_server.on
|
|
set_prop(init, vts_status_prop)
|
|
neverallow { domain -init } vts_status_prop:property_service set;
|
|
|
|
# Only init can write normal ro.boot. properties
|
|
neverallow { domain -init } bootloader_prop:property_service set;
|
|
|
|
# Only init can write ro.boot.hypervisor properties
|
|
neverallow { domain -init } hypervisor_prop:property_service set;
|
|
|
|
# Only init can write hal.instrumentation.enable
|
|
neverallow { domain -init } hal_instrumentation_prop:property_service set;
|
|
|
|
# Only init can write ro.property_service.version
|
|
neverallow { domain -init } property_service_version_prop:property_service set;
|
|
|
|
# Only init can set keystore.boot_level
|
|
neverallow { domain -init } keystore_listen_prop:property_service set;
|
|
|
|
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
|
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
|
|
|
# PRNG seeder daemon socket is created and listened on by init before forking.
|
|
allow init prng_seeder:unix_stream_socket { create bind listen };
|
|
|
|
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
|
|
# attempt to write a non exisiting 'synthetic_events' file, when setting
|
|
# up synthetic events. This is a no-op in tracefs.
|
|
dontaudit init debugfs_tracing_debug:dir { write add_name };
|
|
|
|
# chown/chmod on devices.
|
|
allow init {
|
|
dev_type
|
|
-hw_random_device
|
|
-keychord_device
|
|
-kvm_device
|
|
-port_device
|
|
}:chr_file setattr;
|