1# init is its own domain.
2type init, domain, mlstrustedsubject;
3
4# The init domain is entered by execing init.
5type init_exec, exec_type, file_type;
6
7# /dev/__null__ node created by init.
8allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
9
10#
11# init direct restorecon calls.
12#
13# /dev/kmsg
14allow init tmpfs:chr_file relabelfrom;
15allow init kmsg_device:chr_file { write relabelto };
16# /dev/__properties__
17allow init properties_device:dir relabelto;
18allow init properties_serial:file { write relabelto };
19allow init property_type:file { create_file_perms relabelto };
20# /dev/event-log-tags
21allow init device:file relabelfrom;
22allow init runtime_event_log_tags_file:file { open write setattr relabelto };
23# /dev/socket
24allow init { device socket_device }:dir relabelto;
25# /dev/random, /dev/urandom
26allow init random_device:chr_file relabelto;
27# /dev/device-mapper, /dev/block(/.*)?
28allow init tmpfs:{ chr_file blk_file } relabelfrom;
29allow init tmpfs:blk_file getattr;
30allow init block_device:{ dir blk_file lnk_file } relabelto;
31allow init dm_device:{ chr_file blk_file } relabelto;
32allow init kernel:fd use;
33# restorecon for early mount device symlinks
34allow init tmpfs:lnk_file { getattr read relabelfrom };
35allow init system_block_device:{ blk_file lnk_file } relabelto;
36
37# setrlimit
38allow init self:capability sys_resource;
39
40# Remove /dev/.booting, created before initial policy load or restorecon /dev.
41allow init tmpfs:file unlink;
42
43# Access pty created for fsck.
44allow init devpts:chr_file { read write open };
45
46# Create /dev/fscklogs files.
47allow init fscklogs:file create_file_perms;
48
49# Access /dev/__null__ node created prior to initial policy load.
50allow init tmpfs:chr_file write;
51
52# Access /dev/console.
53allow init console_device:chr_file rw_file_perms;
54
55# Access /dev/tty0.
56allow init tty_device:chr_file rw_file_perms;
57
58# Call mount(2).
59allow init self:capability sys_admin;
60
61# Create and mount on directories in /.
62allow init rootfs:dir create_dir_perms;
63allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
64
65# Mount on /dev/usb-ffs/adb.
66allow init device:dir mounton;
67
68# Create and remove symlinks in /.
69allow init rootfs:lnk_file { create unlink };
70
71# Mount debugfs on /sys/kernel/debug.
72allow init sysfs:dir mounton;
73
74# Create cgroups mount points in tmpfs and mount cgroups on them.
75allow init tmpfs:dir create_dir_perms;
76allow init tmpfs:dir mounton;
77allow init cgroup:dir create_dir_perms;
78r_dir_file(init, cgroup)
79allow init cpuctl_device:dir { create mounton };
80
81# /config
82allow init configfs:dir mounton;
83allow init configfs:dir create_dir_perms;
84
85# Use tmpfs as /data, used for booting when /data is encrypted
86allow init tmpfs:dir relabelfrom;
87
88# Create directories under /dev/cpuctl after chowning it to system.
89allow init self:capability dac_override;
90
91# Set system clock.
92allow init self:capability sys_time;
93
94allow init self:capability { sys_rawio mknod };
95
96# Mounting filesystems from block devices.
97allow init dev_type:blk_file r_file_perms;
98
99# Mounting filesystems.
100# Only allow relabelto for types used in context= mount options,
101# which should all be assigned the contextmount_type attribute.
102# This can be done in device-specific policy via type or typeattribute
103# declarations.
104allow init fs_type:filesystem ~relabelto;
105allow init unlabeled:filesystem ~relabelto;
106allow init contextmount_type:filesystem relabelto;
107
108# Allow read-only access to context= mounted filesystems.
109allow init contextmount_type:dir r_dir_perms;
110allow init contextmount_type:notdevfile_class_set r_file_perms;
111
112# restorecon /adb_keys or any other rootfs files and directories to a more
113# specific type.
114allow init rootfs:{ dir file } relabelfrom;
115
116# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
117# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
118# system/core/init.rc requires at least cache_file and data_file_type.
119# init.<board>.rc files often include device-specific types, so
120# we just allow all file types except /system files here.
121allow init self:capability { chown fowner fsetid };
122
123allow init {
124  file_type
125  -app_data_file
126  -exec_type
127  -misc_logd_file
128  -system_app_data_file
129  -system_file
130  -vendor_file_type
131}:dir { create search getattr open read setattr ioctl };
132
133allow init {
134  file_type
135  -app_data_file
136  -exec_type
137  -keystore_data_file
138  -misc_logd_file
139  -shell_data_file
140  -system_app_data_file
141  -system_file
142  -vendor_file_type
143  -vold_data_file
144}:dir { write add_name remove_name rmdir relabelfrom };
145
146allow init {
147  file_type
148  -app_data_file
149  -runtime_event_log_tags_file
150  -exec_type
151  -keystore_data_file
152  -misc_logd_file
153  -shell_data_file
154  -system_app_data_file
155  -system_file
156  -vendor_file_type
157  -vold_data_file
158}:file { create getattr open read write setattr relabelfrom unlink };
159
160allow init {
161  file_type
162  -app_data_file
163  -exec_type
164  -keystore_data_file
165  -misc_logd_file
166  -shell_data_file
167  -system_app_data_file
168  -system_file
169  -vendor_file_type
170  -vold_data_file
171}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
172
173allow init {
174  file_type
175  -app_data_file
176  -exec_type
177  -keystore_data_file
178  -misc_logd_file
179  -shell_data_file
180  -system_app_data_file
181  -system_file
182  -vendor_file_type
183  -vold_data_file
184}:lnk_file { create getattr setattr relabelfrom unlink };
185
186allow init cache_file:lnk_file r_file_perms;
187
188allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
189allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
190allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
191allow init dev_type:dir create_dir_perms;
192allow init dev_type:lnk_file create;
193
194# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
195allow init tracing_shell_writable:file w_file_perms;
196
197# Setup and control wifi event tracing (see wifi-events.rc)
198allow init debugfs_tracing_instances:dir create_dir_perms;
199allow init debugfs_tracing_instances:file w_file_perms;
200allow init debugfs_wifi_tracing:file w_file_perms;
201
202# chown/chmod on pseudo files.
203allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
204allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
205
206# init should not be able to read or open generic devices
207# TODO: auditing to see if this can be deleted entirely
208allow init {
209  dev_type
210  -kmem_device
211  -port_device
212  -device
213  -vndbinder_device
214  }:chr_file { read open };
215auditallow init {
216  dev_type
217  -alarm_device
218  -ashmem_device
219  -binder_device
220  -console_device
221  -device
222  -devpts
223  -dm_device
224  -hwbinder_device
225  -hw_random_device
226  -keychord_device
227  -kmem_device
228  -kmsg_device
229  -null_device
230  -owntty_device
231  -port_device
232  -ptmx_device
233  -random_device
234  -zero_device
235}:chr_file { read open };
236
237# chown/chmod on devices.
238allow init { dev_type -kmem_device -port_device }:chr_file setattr;
239
240# Unlabeled file access for upgrades from 4.2.
241allow init unlabeled:dir { create_dir_perms relabelfrom };
242allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
243
244# Any operation that can modify the kernel ring buffer, e.g. clear
245# or a read that consumes the messages that were read.
246allow init kernel:system syslog_mod;
247allow init self:capability2 syslog;
248
249# Set usermodehelpers and /proc security settings.
250allow init usermodehelper:file rw_file_perms;
251allow init proc_security:file rw_file_perms;
252
253# Write to /proc/sys/kernel/panic_on_oops.
254r_dir_file(init, proc)
255allow init proc:file w_file_perms;
256
257# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
258r_dir_file(init, proc_net)
259allow init proc_net:file w_file_perms;
260allow init self:capability net_admin;
261
262# Write to /proc/sysrq-trigger.
263allow init proc_sysrq:file w_file_perms;
264
265# Read /proc/stat for bootchart.
266allow init proc_stat:file r_file_perms;
267
268# Reboot.
269allow init self:capability sys_boot;
270
271# Write to sysfs nodes.
272allow init sysfs_type:dir r_dir_perms;
273allow init sysfs_type:lnk_file read;
274allow init sysfs_type:file rw_file_perms;
275
276# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
277# Init will also walk through the directory as part of a recursive restorecon.
278allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
279allow init misc_logd_file:file { open create getattr setattr write };
280
281# Support "adb shell stop"
282allow init self:capability kill;
283allow init domain:process { sigkill signal };
284
285# Init creates keystore's directory on boot, and walks through
286# the directory as part of a recursive restorecon.
287allow init keystore_data_file:dir { open create read getattr setattr search };
288allow init keystore_data_file:file { getattr };
289
290# Init creates vold's directory on boot, and walks through
291# the directory as part of a recursive restorecon.
292allow init vold_data_file:dir { open create read getattr setattr search };
293allow init vold_data_file:file { getattr };
294
295# Init creates /data/local/tmp at boot
296allow init shell_data_file:dir { open create read getattr setattr search };
297allow init shell_data_file:file { getattr };
298
299# Set UID, GID, and adjust capability bounding set for services.
300allow init self:capability { setuid setgid setpcap };
301
302# For bootchart to read the /proc/$pid/cmdline file of each process,
303# we need to have following line to allow init to have access
304# to different domains.
305r_dir_file(init, domain)
306
307# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
308# setexec is for services with seclabel options.
309# setfscreate is for labeling directories and socket files.
310# setsockcreate is for labeling local/unix domain sockets.
311allow init self:process { setexec setfscreate setsockcreate };
312
313# Get file context
314allow init file_contexts_file:file r_file_perms;
315
316# sepolicy access
317allow init sepolicy_file:file r_file_perms;
318
319# Perform SELinux access checks on setting properties.
320selinux_check_access(init)
321
322# Ask the kernel for the new context on services to label their sockets.
323allow init kernel:security compute_create;
324
325# Create sockets for the services.
326allow init domain:unix_stream_socket { create bind };
327allow init domain:unix_dgram_socket { create bind };
328
329# Create /data/property and files within it.
330allow init property_data_file:dir create_dir_perms;
331allow init property_data_file:file create_file_perms;
332
333# Set any property.
334allow init property_type:property_service set;
335
336# Send an SELinux userspace denial to the kernel audit subsystem,
337# so it can be picked up and processed by logd. These denials are
338# generated when an attempt to set a property is denied by policy.
339allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
340allow init self:capability audit_write;
341
342# Run "ifup lo" to bring up the localhost interface
343allow init self:udp_socket { create ioctl };
344# in addition to unpriv ioctls granted to all domains, init also needs:
345allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
346allow init self:capability net_raw;
347
348# This line seems suspect, as it should not really need to
349# set scheduling parameters for a kernel domain task.
350allow init kernel:process setsched;
351
352# swapon() needs write access to swap device
353# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
354allow init swap_block_device:blk_file rw_file_perms;
355
356# Read from /dev/hw_random if present.
357# system/core/init/init.c - mix_hwrng_into_linux_rng_action
358allow init hw_random_device:chr_file r_file_perms;
359
360# Create and access /dev files without a specific type,
361# e.g. /dev/.coldboot_done, /dev/.booting
362# TODO:  Move these files into their own type unless they are
363# only ever accessed by init.
364allow init device:file create_file_perms;
365
366# keychord configuration
367allow init self:capability sys_tty_config;
368allow init keychord_device:chr_file rw_file_perms;
369
370# Access device mapper for setting up dm-verity
371allow init dm_device:chr_file rw_file_perms;
372allow init dm_device:blk_file rw_file_perms;
373
374# Access metadata block device for storing dm-verity state
375allow init metadata_block_device:blk_file rw_file_perms;
376
377# Read /sys/fs/pstore/console-ramoops to detect restarts caused
378# by dm-verity detecting corrupted blocks
379allow init pstorefs:dir search;
380allow init pstorefs:file r_file_perms;
381allow init kernel:system syslog_read;
382
383# linux keyring configuration
384allow init init:key { write search setattr };
385
386# Allow init to create /data/unencrypted
387allow init unencrypted_data_file:dir create_dir_perms;
388
389# Allow init to write to /proc/sys/vm/overcommit_memory
390allow init proc_overcommit_memory:file { write };
391
392unix_socket_connect(init, vold, vold)
393
394# Raw writes to misc block device
395allow init misc_block_device:blk_file w_file_perms;
396
397r_dir_file(init, system_file)
398r_dir_file(init, vendor_file_type)
399allow init proc_meminfo:file r_file_perms;
400
401allow init system_data_file:file { getattr read };
402allow init system_data_file:lnk_file r_file_perms;
403
404# For init to be able to run shell scripts from vendor
405allow init vendor_shell_exec:file execute;
406
407###
408### neverallow rules
409###
410
411# The init domain is only entered via an exec based transition from the
412# kernel domain, never via setcon().
413neverallow domain init:process dyntransition;
414neverallow { domain -kernel } init:process transition;
415neverallow init { file_type fs_type -init_exec }:file entrypoint;
416
417# Never read/follow symlinks created by shell or untrusted apps.
418neverallow init shell_data_file:lnk_file read;
419neverallow init app_data_file:lnk_file read;
420
421# init should never execute a program without changing to another domain.
422neverallow init { file_type fs_type }:file execute_no_trans;
423
424# Init never adds or uses services via service_manager.
425neverallow init service_manager_type:service_manager { add find };
426neverallow init servicemanager:service_manager list;
427
428# Init should not be creating subdirectories in /data/local/tmp
429neverallow init shell_data_file:dir { write add_name remove_name };
430