tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/init.te
Max Bires aaacfdb054 Add ro.remote_provisioning.*.rkp_only properties. 
These properties are used to inform keystore2 and the RemoteProvisioner
app how they should behave in the system in the event that RKP keys are
exhausted. The usual behavior in a hybrid system is not to take any
action and fallback to the factory provisioned key if key attestation is
requested and no remotely provisioned keys are available.

However, there are instances where this could happen on a device that
was intended to be RKP only, in which case the system needs to know that
it should go ahead and attempt to remotely provision new certificates or
throw an error in the case where none are available.

Test: New properties are accessible from the two domains
Change-Id: I8d6c9e650566499bf08cfda2f71c64d5c2b26fd6
2022-04-04 11:23:12 -07:00

126 lines
4.8 KiB
Text
Raw Blame History

typeattribute init coredomain;
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)
recovery_only(`
# Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, hal_health_server)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
domain_trans(init, rootfs, servicemanager)
domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
userdebug_or_eng(`
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
domain_auto_trans(init, logcat_exec, logpersist)
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
allow init su:process transition;
dontaudit init su:process noatsecure;
allow init su:process { siginh rlimitinh };
')
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
# that userdata is mounted onto.
allow init sysfs_dm:file read;
# Allow init to modify the properties of loop devices.
allow init sysfs_loop:dir r_dir_perms;
allow init sysfs_loop:file rw_file_perms;
# Allow init to examine the properties of block devices.
allow init sysfs_type:file { getattr read };
# Allow init get the attributes of block devices in /dev/block.
allow init dev_type:dir r_dir_perms;
allow init dev_type:blk_file getattr;
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
# Only init is allowed to set userspace reboot related properties.
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
# TODO(b/137092007): this can be removed once the platform stops supporting
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
allow init snapuserd:unix_stream_socket connectto;
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write ro.boot.hypervisor properties
neverallow { domain -init } hypervisor_prop:property_service set;
# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
neverallow { domain -init } property_service_version_prop:property_service set;
# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;
# Only init can set the ro.remote_provisioning.* props
neverallow { domain -init } remote_prov_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
dontaudit init debugfs_tracing_debug:dir { write add_name };
# chown/chmod on devices.
allow init {
dev_type
-hw_random_device
-keychord_device
-kvm_device
-port_device
}:chr_file setattr;
Reference in a new issue View git blame Copy permalink