99 lines
3.6 KiB
Text
99 lines
3.6 KiB
Text
typeattribute kernel coredomain;
|
|
|
|
domain_auto_trans(kernel, init_exec, init)
|
|
|
|
# The following sections are for the transition period during a Virtual A/B
|
|
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
|
|
# context, and with properly labelled devices. This must be done before
|
|
# enabling enforcement, eg, in permissive mode while still in the kernel
|
|
# context.
|
|
allow kernel tmpfs:blk_file { getattr relabelfrom };
|
|
allow kernel tmpfs:chr_file { getattr relabelfrom };
|
|
allow kernel tmpfs:lnk_file { getattr relabelfrom };
|
|
allow kernel tmpfs:dir { open read relabelfrom };
|
|
|
|
allow kernel block_device:blk_file relabelto;
|
|
allow kernel block_device:lnk_file relabelto;
|
|
allow kernel dm_device:chr_file relabelto;
|
|
allow kernel dm_device:blk_file relabelto;
|
|
allow kernel dm_user_device:dir { read open search relabelto };
|
|
allow kernel dm_user_device:chr_file relabelto;
|
|
allow kernel kmsg_device:chr_file relabelto;
|
|
allow kernel null_device:chr_file relabelto;
|
|
allow kernel random_device:chr_file relabelto;
|
|
allow kernel kmsg_device:chr_file write;
|
|
allow kernel vd_device:blk_file read;
|
|
|
|
allow kernel self:global_capability_class_set sys_nice;
|
|
|
|
# Root fs.
|
|
r_dir_file(kernel, rootfs)
|
|
|
|
# Used to read androidboot.selinux property
|
|
allow kernel {
|
|
proc_bootconfig
|
|
proc_cmdline
|
|
}:file r_file_perms;
|
|
|
|
# Get SELinux enforcing status.
|
|
allow kernel selinuxfs:dir r_dir_perms;
|
|
allow kernel selinuxfs:file r_file_perms;
|
|
|
|
# Get file contexts during first stage
|
|
allow kernel file_contexts_file:file r_file_perms;
|
|
|
|
# Allow init relabel itself.
|
|
allow kernel rootfs:file relabelfrom;
|
|
allow kernel init_exec:file relabelto;
|
|
# TODO: investigate why we need this.
|
|
allow kernel init:process share;
|
|
|
|
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
|
allow kernel unlabeled:dir search;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Init reboot before switching selinux domains under certain error
|
|
# conditions. Allow it.
|
|
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
|
|
# remount filesystems read-only. /data is not mounted at this point,
|
|
# so we could ignore this. For now, we allow it.
|
|
allow kernel self:global_capability_class_set sys_boot;
|
|
allow kernel proc_sysrq:file w_file_perms;
|
|
|
|
# Allow writing to /dev/kmsg which was created prior to loading policy.
|
|
allow kernel tmpfs:chr_file write;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel selinuxfs:file write;
|
|
allow kernel self:security setcheckreqprot;
|
|
|
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
|
allow kernel { sdcard_type fuse }:file { read write };
|
|
|
|
# Allow the kernel to read APEX file descriptors and (staged) data files;
|
|
# Needed because APEX uses the loopback driver, which issues requests from
|
|
# a kernel thread in earlier kernel version.
|
|
allow kernel apexd:fd use;
|
|
|
|
#-----------------------------------------
|
|
allow kernel apkdmverity:fd use;
|
|
|
|
# Some contexts are changed before the device is flipped into enforcing mode
|
|
# during the setup of Apex sepolicy. These denials can be suppressed since
|
|
# the permissions should not be allowed after the device is flipped into
|
|
# enforcing mode.
|
|
dontaudit kernel device:dir { open read relabelto };
|
|
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
|
dontaudit kernel {
|
|
file_contexts_file
|
|
hwservice_contexts_file
|
|
mac_perms_file
|
|
property_contexts_file
|
|
seapp_contexts_file
|
|
sepolicy_test_file
|
|
service_contexts_file
|
|
}:file relabelto;
|