9a28f90d6a
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has been integrated and requires syslog_read capability a process accessing console-ramoops file. sepolicy must be adapted to this new requirement. Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2 Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
301 lines
11 KiB
Text
301 lines
11 KiB
Text
# init is its own domain.
|
|
type init, domain, domain_deprecated, mlstrustedsubject;
|
|
tmpfs_domain(init)
|
|
|
|
# The init domain is entered by execing init.
|
|
type init_exec, exec_type, file_type;
|
|
|
|
# /dev/__null__ node created by init.
|
|
allow init tmpfs:chr_file create_file_perms;
|
|
|
|
#
|
|
# init direct restorecon calls.
|
|
#
|
|
# /dev/socket
|
|
allow init { device socket_device }:dir relabelto;
|
|
# /dev/__properties__
|
|
allow init properties_device:dir relabelto;
|
|
allow init properties_serial:file { write relabelto };
|
|
allow init property_type:file { create_file_perms relabelto };
|
|
|
|
# setrlimit
|
|
allow init self:capability sys_resource;
|
|
|
|
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
|
|
allow init tmpfs:file unlink;
|
|
|
|
# Access pty created for fsck.
|
|
allow init devpts:chr_file { read write open };
|
|
|
|
# Create /dev/fscklogs files.
|
|
allow init fscklogs:file create_file_perms;
|
|
|
|
# Access /dev/__null__ node created prior to initial policy load.
|
|
allow init tmpfs:chr_file write;
|
|
|
|
# Access /dev/console.
|
|
allow init console_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/tty0.
|
|
allow init tty_device:chr_file rw_file_perms;
|
|
|
|
# Call mount(2).
|
|
allow init self:capability sys_admin;
|
|
|
|
# Create and mount on directories in /.
|
|
allow init rootfs:dir create_dir_perms;
|
|
allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
|
|
|
|
# Mount on /dev/usb-ffs/adb.
|
|
allow init device:dir mounton;
|
|
|
|
# Create and remove symlinks in /.
|
|
allow init rootfs:lnk_file { create unlink };
|
|
|
|
# Mount debugfs on /sys/kernel/debug.
|
|
allow init sysfs:dir mounton;
|
|
|
|
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
|
allow init tmpfs:dir create_dir_perms;
|
|
allow init tmpfs:dir mounton;
|
|
allow init cgroup:dir create_dir_perms;
|
|
allow init cpuctl_device:dir { create mounton };
|
|
|
|
# Use tmpfs as /data, used for booting when /data is encrypted
|
|
allow init tmpfs:dir relabelfrom;
|
|
|
|
# Create directories under /dev/cpuctl after chowning it to system.
|
|
allow init self:capability dac_override;
|
|
|
|
# Set system clock.
|
|
allow init self:capability sys_time;
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
# Mounting filesystems from block devices.
|
|
allow init dev_type:blk_file r_file_perms;
|
|
|
|
# Mounting filesystems.
|
|
# Only allow relabelto for types used in context= mount options,
|
|
# which should all be assigned the contextmount_type attribute.
|
|
# This can be done in device-specific policy via type or typeattribute
|
|
# declarations.
|
|
allow init fs_type:filesystem ~relabelto;
|
|
allow init unlabeled:filesystem ~relabelto;
|
|
allow init contextmount_type:filesystem relabelto;
|
|
|
|
# Allow read-only access to context= mounted filesystems.
|
|
allow init contextmount_type:dir r_dir_perms;
|
|
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
|
|
|
# restorecon /adb_keys or any other rootfs files to a more specific type.
|
|
allow init rootfs:file relabelfrom;
|
|
|
|
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
|
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
# init.<board>.rc files often include device-specific types, so
|
|
# we just allow all file types except /system files here.
|
|
allow init self:capability { chown fowner fsetid };
|
|
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
|
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
|
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
|
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
|
|
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
|
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
|
|
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
|
|
allow init dev_type:dir create_dir_perms;
|
|
allow init dev_type:lnk_file create;
|
|
|
|
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
|
|
allow init debugfs_tracing:file w_file_perms;
|
|
|
|
# chown/chmod on pseudo files.
|
|
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
|
|
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
|
|
|
# chown/chmod on devices.
|
|
allow init { dev_type -kmem_device }:chr_file { read open setattr };
|
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
# Create /data/security from init.rc post-fs-data.
|
|
allow init security_file:dir { create setattr };
|
|
|
|
# Reload policy upon setprop selinux.reload_policy 1.
|
|
# Note: this requires the following allow rule
|
|
# allow init kernel:security load_policy;
|
|
# which can be configured on a device-by-device basis if needed.
|
|
r_dir_file(init, security_file)
|
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
# or a read that consumes the messages that were read.
|
|
allow init kernel:system syslog_mod;
|
|
allow init self:capability2 syslog;
|
|
|
|
# Set usermodehelpers and /proc security settings.
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Write to /proc/sys/kernel/panic_on_oops.
|
|
allow init proc:file w_file_perms;
|
|
|
|
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
|
allow init proc_net:file w_file_perms;
|
|
allow init self:capability net_admin;
|
|
|
|
# Write to /proc/sysrq-trigger.
|
|
allow init proc_sysrq:file w_file_perms;
|
|
|
|
# Reboot.
|
|
allow init self:capability sys_boot;
|
|
|
|
# Write to sysfs nodes.
|
|
allow init sysfs_type:dir r_dir_perms;
|
|
allow init sysfs_type:file w_file_perms;
|
|
|
|
# disksize
|
|
allow init sysfs_zram:file getattr;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
domain_trans(init, rootfs, adbd)
|
|
domain_trans(init, rootfs, healthd)
|
|
domain_trans(init, rootfs, slideshow)
|
|
recovery_only(`
|
|
domain_trans(init, rootfs, recovery)
|
|
')
|
|
domain_trans(init, shell_exec, shell)
|
|
domain_trans(init, init_exec, ueventd)
|
|
domain_trans(init, init_exec, watchdogd)
|
|
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
|
|
userdebug_or_eng(`
|
|
domain_auto_trans(init, logcat_exec, logd)
|
|
')
|
|
|
|
# Support "adb shell stop"
|
|
allow init self:capability kill;
|
|
allow init domain:process { sigkill signal };
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|
|
|
|
# Init creates vold's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init vold_data_file:dir { open create read getattr setattr search };
|
|
allow init vold_data_file:file { getattr };
|
|
|
|
# Init creates /data/local/tmp at boot
|
|
allow init shell_data_file:dir { open create read getattr setattr search };
|
|
allow init shell_data_file:file { getattr };
|
|
|
|
# Set UID and GID for services.
|
|
allow init self:capability { setuid setgid };
|
|
|
|
# For bootchart to read the /proc/$pid/cmdline file of each process,
|
|
# we need to have following line to allow init to have access
|
|
# to different domains.
|
|
r_dir_file(init, domain)
|
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
# setexec is for services with seclabel options.
|
|
# setfscreate is for labeling directories and socket files.
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
|
|
|
# Perform SELinux access checks on setting properties.
|
|
selinux_check_access(init)
|
|
|
|
# Ask the kernel for the new context on services to label their sockets.
|
|
allow init kernel:security compute_create;
|
|
|
|
# Create sockets for the services.
|
|
allow init domain:unix_stream_socket { create bind };
|
|
allow init domain:unix_dgram_socket { create bind };
|
|
|
|
# Create /data/property and files within it.
|
|
allow init property_data_file:dir create_dir_perms;
|
|
allow init property_data_file:file create_file_perms;
|
|
|
|
# Set any property.
|
|
allow init property_type:property_service set;
|
|
|
|
# Run "ifup lo" to bring up the localhost interface
|
|
allow init self:udp_socket { create ioctl };
|
|
allow init self:capability net_raw;
|
|
|
|
# This line seems suspect, as it should not really need to
|
|
# set scheduling parameters for a kernel domain task.
|
|
allow init kernel:process setsched;
|
|
|
|
# swapon() needs write access to swap device
|
|
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
|
|
allow init swap_block_device:blk_file rw_file_perms;
|
|
|
|
# Read from /dev/hw_random if present.
|
|
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
|
|
allow init hw_random_device:chr_file r_file_perms;
|
|
|
|
# Create and access /dev files without a specific type,
|
|
# e.g. /dev/.coldboot_done, /dev/.booting
|
|
# TODO: Move these files into their own type unless they are
|
|
# only ever accessed by init.
|
|
allow init device:file create_file_perms;
|
|
|
|
# Access character devices without a specific type,
|
|
# e.g. /dev/keychord.
|
|
# TODO: Move these devices into their own type unless they
|
|
# are only ever accessed by init.
|
|
allow init device:chr_file { rw_file_perms setattr };
|
|
|
|
# keychord configuration
|
|
allow init self:capability sys_tty_config;
|
|
|
|
# Access device mapper for setting up dm-verity
|
|
allow init dm_device:chr_file rw_file_perms;
|
|
allow init dm_device:blk_file rw_file_perms;
|
|
|
|
# Access metadata block device for storing dm-verity state
|
|
allow init metadata_block_device:blk_file rw_file_perms;
|
|
|
|
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
|
|
# by dm-verity detecting corrupted blocks
|
|
allow init pstorefs:dir search;
|
|
allow init pstorefs:file r_file_perms;
|
|
allow init kernel:system syslog_read;
|
|
|
|
# linux keyring configuration
|
|
allow init init:key { write search setattr };
|
|
|
|
# Allow init to create /data/unencrypted
|
|
allow init unencrypted_data_file:dir create_dir_perms;
|
|
|
|
unix_socket_connect(init, vold, vold)
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The init domain is only entered via setcon from the kernel domain,
|
|
# never via an exec-based transition.
|
|
neverallow domain init:process dyntransition;
|
|
neverallow { domain -kernel} init:process transition;
|
|
neverallow init { file_type fs_type -init_exec }:file entrypoint;
|
|
|
|
# Never read/follow symlinks created by shell or untrusted apps.
|
|
neverallow init shell_data_file:lnk_file read;
|
|
neverallow init app_data_file:lnk_file read;
|
|
|
|
# init should never execute a program without changing to another domain.
|
|
neverallow init { file_type fs_type }:file execute_no_trans;
|
|
|
|
# Init never adds or uses services via service_manager.
|
|
neverallow init service_manager_type:service_manager { add find };
|
|
neverallow init servicemanager:service_manager list;
|
|
|
|
# Init should not be creating subdirectories in /data/local/tmp
|
|
neverallow init shell_data_file:dir { write add_name remove_name };
|