645c390d1a
In virtualized deployments of Android, it can be useful to have access to a description of the hypervisor/host environment being used to run the guest OS instance. This is represented by means of a new system property ro.boot.hypervisor.version, which is meant to convey a free-form descriptor of the current host/hypervisor version The property is meant to be provided to Android as androidboot. by whatever host-specific means are used to supply other boot properties to the target Android instance. Access could be later opened to other vendor processes to set if needed for specific setups where init is not a sufficiently-early stage for host/guest communication. Such setups are not known at this time. For a native Android incantation, the property defaults to being missing Other properties could later be added to this same namespace and context if they turn out to be useful in specific scenarios. Bug: 178749018 Test: build cuttlefish Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
117 lines
4.4 KiB
Text
117 lines
4.4 KiB
Text
typeattribute init coredomain;
|
|
|
|
tmpfs_domain(init)
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
domain_trans(init, rootfs, healthd)
|
|
domain_trans(init, rootfs, slideshow)
|
|
domain_auto_trans(init, charger_exec, charger)
|
|
domain_auto_trans(init, e2fs_exec, e2fs)
|
|
domain_auto_trans(init, bpfloader_exec, bpfloader)
|
|
|
|
recovery_only(`
|
|
# Files in recovery image are labeled as rootfs.
|
|
domain_trans(init, rootfs, adbd)
|
|
domain_trans(init, rootfs, charger)
|
|
domain_trans(init, rootfs, fastbootd)
|
|
domain_trans(init, rootfs, recovery)
|
|
domain_trans(init, rootfs, linkerconfig)
|
|
domain_trans(init, rootfs, snapuserd)
|
|
')
|
|
domain_trans(init, shell_exec, shell)
|
|
domain_trans(init, init_exec, ueventd)
|
|
domain_trans(init, init_exec, vendor_init)
|
|
domain_trans(init, { rootfs toolbox_exec }, modprobe)
|
|
userdebug_or_eng(`
|
|
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
|
|
domain_auto_trans(init, logcat_exec, logpersist)
|
|
|
|
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
|
|
allow init su:process transition;
|
|
dontaudit init su:process noatsecure;
|
|
allow init su:process { siginh rlimitinh };
|
|
')
|
|
|
|
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
|
|
# This is useful in case of remounting ext4 userdata into checkpointing mode,
|
|
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
|
|
# that userdata is mounted onto.
|
|
allow init sysfs_dm:file read;
|
|
|
|
# Allow init to modify the properties of loop devices.
|
|
allow init sysfs_loop:dir r_dir_perms;
|
|
allow init sysfs_loop:file rw_file_perms;
|
|
|
|
# Allow init to examine the properties of block devices.
|
|
allow init sysfs_block_type:file { getattr read };
|
|
# Allow init access /dev/block
|
|
allow init bdev_type:dir r_dir_perms;
|
|
allow init bdev_type:blk_file getattr;
|
|
|
|
# Allow init to write to the drop_caches file.
|
|
allow init proc_drop_caches:file rw_file_perms;
|
|
|
|
# Allow the BoringSSL self test to request a reboot upon failure
|
|
set_prop(init, powerctl_prop)
|
|
|
|
# Only init is allowed to set userspace reboot related properties.
|
|
set_prop(init, userspace_reboot_exported_prop)
|
|
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
|
|
|
|
# Second-stage init performs a test for whether the kernel has SELinux hooks
|
|
# for the perf_event_open() syscall. This is done by testing for the syscall
|
|
# outcomes corresponding to this policy.
|
|
# TODO(b/137092007): this can be removed once the platform stops supporting
|
|
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
|
|
# and 4.9).
|
|
allow init self:perf_event { open cpu };
|
|
allow init self:global_capability2_class_set perfmon;
|
|
neverallow init self:perf_event { kernel tracepoint read write };
|
|
dontaudit init self:perf_event { kernel tracepoint read write };
|
|
|
|
# Allow init to communicate with snapuserd to transition Virtual A/B devices
|
|
# from the first-stage daemon to the second-stage.
|
|
allow init snapuserd_socket:sock_file write;
|
|
allow init snapuserd:unix_stream_socket connectto;
|
|
# Allow for libsnapshot's use of flock() on /metadata/ota.
|
|
allow init ota_metadata_file:dir lock;
|
|
|
|
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
|
|
# /dev/block.
|
|
allow init vd_device:blk_file relabelto;
|
|
|
|
# Only init is allowed to set the sysprop indicating whether perf_event_open()
|
|
# SELinux hooks were detected.
|
|
set_prop(init, init_perf_lsm_hooks_prop)
|
|
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
|
|
|
|
# Only init can write vts.native_server.on
|
|
set_prop(init, vts_status_prop)
|
|
neverallow { domain -init } vts_status_prop:property_service set;
|
|
|
|
# Only init can write normal ro.boot. properties
|
|
neverallow { domain -init } bootloader_prop:property_service set;
|
|
|
|
# Only init can write ro.boot.hypervisor properties
|
|
neverallow { domain -init } hypervisor_prop:property_service set;
|
|
|
|
# Only init can write hal.instrumentation.enable
|
|
neverallow { domain -init } hal_instrumentation_prop:property_service set;
|
|
|
|
# Only init can write ro.property_service.version
|
|
neverallow { domain -init } property_service_version_prop:property_service set;
|
|
|
|
# Only init can set keystore.boot_level
|
|
neverallow { domain -init } keystore_listen_prop:property_service set;
|
|
|
|
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
|
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
|
|
|
# chown/chmod on devices.
|
|
allow init {
|
|
dev_type
|
|
-hw_random_device
|
|
-keychord_device
|
|
-kvm_device
|
|
-port_device
|
|
}:chr_file setattr;
|