faa538dbfc
The denial is correct, but is causing test failures. However it appears to be harmless and VMs are operating just fine. Suppress it until the correct policy is ready. Bug: 306516077 Test: atest MicrodroidHostTests Change-Id: I5d8545add4927c2521c3d4e9dc2b5bedb91c0f45
129 lines
5 KiB
Text
129 lines
5 KiB
Text
typeattribute init coredomain;
|
|
|
|
tmpfs_domain(init)
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
domain_trans(init, rootfs, slideshow)
|
|
domain_auto_trans(init, charger_exec, charger)
|
|
domain_auto_trans(init, e2fs_exec, e2fs)
|
|
domain_auto_trans(init, bpfloader_exec, bpfloader)
|
|
|
|
recovery_only(`
|
|
# Files in recovery image are labeled as rootfs.
|
|
domain_trans(init, rootfs, adbd)
|
|
domain_trans(init, rootfs, hal_bootctl_server)
|
|
domain_trans(init, rootfs, charger)
|
|
domain_trans(init, rootfs, fastbootd)
|
|
domain_trans(init, rootfs, hal_fastboot_server)
|
|
domain_trans(init, rootfs, hal_health_server)
|
|
domain_trans(init, rootfs, recovery)
|
|
domain_trans(init, rootfs, linkerconfig)
|
|
domain_trans(init, rootfs, servicemanager)
|
|
domain_trans(init, rootfs, snapuserd)
|
|
')
|
|
domain_trans(init, shell_exec, shell)
|
|
domain_trans(init, init_exec, ueventd)
|
|
domain_trans(init, init_exec, vendor_init)
|
|
domain_trans(init, { rootfs toolbox_exec }, modprobe)
|
|
userdebug_or_eng(`
|
|
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
|
|
domain_auto_trans(init, logcat_exec, logpersist)
|
|
|
|
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
|
|
allow init su:process transition;
|
|
dontaudit init su:process noatsecure;
|
|
allow init su:process { siginh rlimitinh };
|
|
')
|
|
|
|
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
|
|
# This is useful in case of remounting ext4 userdata into checkpointing mode,
|
|
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
|
|
# that userdata is mounted onto.
|
|
allow init sysfs_dm:file read;
|
|
|
|
# Allow init to modify the properties of loop devices.
|
|
allow init sysfs_loop:dir r_dir_perms;
|
|
allow init sysfs_loop:file rw_file_perms;
|
|
|
|
# Allow init to examine the properties of block devices.
|
|
allow init sysfs_type:file { getattr read };
|
|
# Allow init get the attributes of block devices in /dev/block.
|
|
allow init dev_type:dir r_dir_perms;
|
|
allow init dev_type:blk_file getattr;
|
|
|
|
# Allow init to write to the drop_caches file.
|
|
allow init proc_drop_caches:file rw_file_perms;
|
|
|
|
# Allow the BoringSSL self test to request a reboot upon failure
|
|
set_prop(init, powerctl_prop)
|
|
|
|
# Only init is allowed to set userspace reboot related properties.
|
|
set_prop(init, userspace_reboot_exported_prop)
|
|
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
|
|
|
|
# Second-stage init performs a test for whether the kernel has SELinux hooks
|
|
# for the perf_event_open() syscall. This is done by testing for the syscall
|
|
# outcomes corresponding to this policy.
|
|
# TODO(b/137092007): this can be removed once the platform stops supporting
|
|
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
|
|
# and 4.9).
|
|
allow init self:perf_event { open cpu };
|
|
allow init self:global_capability2_class_set perfmon;
|
|
neverallow init self:perf_event { kernel tracepoint read write };
|
|
dontaudit init self:perf_event { kernel tracepoint read write };
|
|
|
|
# Allow init to communicate with snapuserd to transition Virtual A/B devices
|
|
# from the first-stage daemon to the second-stage.
|
|
allow init snapuserd_socket:sock_file write;
|
|
allow init snapuserd:unix_stream_socket connectto;
|
|
# Allow for libsnapshot's use of flock() on /metadata/ota.
|
|
allow init ota_metadata_file:dir lock;
|
|
|
|
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
|
|
# /dev/block.
|
|
allow init vd_device:blk_file relabelto;
|
|
|
|
# Only init is allowed to set the sysprop indicating whether perf_event_open()
|
|
# SELinux hooks were detected.
|
|
set_prop(init, init_perf_lsm_hooks_prop)
|
|
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
|
|
|
|
# Only init can write vts.native_server.on
|
|
set_prop(init, vts_status_prop)
|
|
neverallow { domain -init } vts_status_prop:property_service set;
|
|
|
|
# Only init can write normal ro.boot. properties
|
|
neverallow { domain -init } bootloader_prop:property_service set;
|
|
|
|
# Only init can write hal.instrumentation.enable
|
|
neverallow { domain -init } hal_instrumentation_prop:property_service set;
|
|
|
|
# Only init can write ro.property_service.version
|
|
neverallow { domain -init } property_service_version_prop:property_service set;
|
|
|
|
# Only init can set keystore.boot_level
|
|
neverallow { domain -init } keystore_listen_prop:property_service set;
|
|
|
|
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
|
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
|
|
|
# PRNG seeder daemon socket is created and listened on by init before forking.
|
|
allow init prng_seeder:unix_stream_socket { create bind listen };
|
|
|
|
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
|
|
# attempt to write a non exisiting 'synthetic_events' file, when setting
|
|
# up synthetic events. This is a no-op in tracefs.
|
|
dontaudit init debugfs_tracing_debug:dir { write add_name };
|
|
|
|
# chown/chmod on devices.
|
|
allow init {
|
|
dev_type
|
|
-hw_random_device
|
|
-keychord_device
|
|
-vm_manager_device_type
|
|
-port_device
|
|
}:chr_file setattr;
|
|
|
|
# Workaround for test failures (b/306516077)
|
|
# We get a denial for this on boot, but the denial is correct.
|
|
dontaudit init device:file relabelto;
|