blob: b5b799330e5216c87d875d4f8c6d90c7dda7379f [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001# init switches to init domain (via init.rc).
2type init, domain;
Stephen Smalley2dd4e512012-01-04 12:33:27 -05003# init is unconfined.
4unconfined_domain(init)
5tmpfs_domain(init)
Nick Kralevich0c9708b2013-07-10 14:46:05 -07006
Stephen Smalley5487ca02014-02-10 16:31:04 -05007allow init self:capability { sys_rawio mknod };
8
Stephen Smalleyf3c3a1a2014-06-19 09:07:17 -04009# Run helpers from / or /system without changing domain.
10# We do not include exec_type here since generally those
11# should always involve a domain transition.
12allow init rootfs:file execute_no_trans;
13allow init system_file:file execute_no_trans;
14
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040015# Running e2fsck or mkswap via fs_mgr.
Stephen Smalley3f40d4f2014-02-11 14:40:14 -050016allow init dev_type:blk_file rw_file_perms;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040017
18# Mounting filesystems.
Stephen Smalley75e2ef92014-06-16 13:05:38 -040019# Only allow relabelto for types used in context= mount options,
20# which should all be assigned the contextmount_type attribute.
21# This can be done in device-specific policy via type or typeattribute
22# declarations.
23allow init fs_type:filesystem ~relabelto;
24allow init unlabeled:filesystem ~relabelto;
25allow init contextmount_type:filesystem relabelto;
26
27# Allow read-only access to context= mounted filesystems.
28allow init contextmount_type:dir r_dir_perms;
29allow init contextmount_type:notdevfile_class_set r_file_perms;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040030
Stephen Smalleyc626a882014-06-23 09:17:51 -040031# restorecon /adb_keys or any other rootfs files to a more specific type.
32allow init rootfs:file relabelfrom;
33
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040034# restorecon and restorecon_recursive calls from init.rc files.
35# system/core/init.rc requires at least cache_file and data_file_type.
36# init.<board>.rc files often include device-specific types, so
37# we just allow all file types except /system files here.
Nick Kralevich03ce5122014-05-20 11:09:16 -070038allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
Stephen Smalley32915652014-07-17 14:54:44 -040039allow init sysfs_type:{ dir file lnk_file } relabelto;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040040
Stephen Smalley73b03462014-05-30 09:53:00 -040041# Unlabeled file access for upgrades from 4.2.
42allow init unlabeled:dir { create_dir_perms relabelfrom };
43allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
44
Stephen Smalley3235f612014-05-30 10:25:00 -040045# Create /data/security from init.rc post-fs-data.
46allow init security_file:dir { create setattr };
47
48# setprop selinux.reload_policy 1 from init.rc post-fs-data.
49allow init security_prop:property_service set;
50
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040051# Reload policy upon setprop selinux.reload_policy 1.
Stephen Smalley3235f612014-05-30 10:25:00 -040052r_dir_file(init, security_file)
Stephen Smalleyfea6e662013-12-06 08:05:53 -050053allow init kernel:security load_policy;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040054
55# Any operation that can modify the kernel ring buffer, e.g. clear
56# or a read that consumes the messages that were read.
Nick Kralevich685e2f92014-05-28 13:48:52 -070057allow init kernel:system syslog_mod;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040058
59# Set usermodehelpers and /proc security settings.
Stephen Smalley7adb9992013-12-06 09:31:40 -050060allow init usermodehelper:file rw_file_perms;
61allow init proc_security:file rw_file_perms;
Nick Kralevichfed8a2a2014-01-24 20:43:07 -080062
63# Transitions to seclabel processes in init.rc
Nick Kralevicha7c04dc2014-07-03 22:13:14 -070064domain_trans(init, rootfs, adbd)
65domain_trans(init, rootfs, healthd)
66recovery_only(`
67 domain_trans(init, rootfs, recovery)
68')
69domain_trans(init, shell_exec, shell)
70domain_trans(init, rootfs, ueventd)
71domain_trans(init, rootfs, watchdogd)
72
73# Certain domains need LD_PRELOAD passed from init.
74# https://android-review.googlesource.com/94851
Nick Kralevich8a5b28d2014-07-16 18:42:36 -070075# For now, allow it to most domains.
Nick Kralevicha7c04dc2014-07-03 22:13:14 -070076# TODO: scope this down.
Nick Kralevich8a5b28d2014-07-16 18:42:36 -070077allow init { domain -lmkd }:process noatsecure;
Nick Kralevicha7c04dc2014-07-03 22:13:14 -070078
79# Support "adb shell stop"
80allow init domain:process sigkill;
Nick Kralevichcd905ec2014-05-08 23:28:52 -070081
82# Init creates keystore's directory on boot, and walks through
83# the directory as part of a recursive restorecon.
84allow init keystore_data_file:dir { open create read getattr setattr search };
85allow init keystore_data_file:file { getattr };
Stephen Smalley356f4be2014-05-23 11:26:19 -040086
Nick Kralevichee49c0e2014-06-07 10:00:59 -070087# Init creates /data/local/tmp at boot
88allow init shell_data_file:dir { open create read getattr setattr search };
89allow init shell_data_file:file { getattr };
90
Stephen Smalley356f4be2014-05-23 11:26:19 -040091# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
92# setexec is for services with seclabel options.
93# setfscreate is for labeling directories and socket files.
94# setsockcreate is for labeling local/unix domain sockets.
95allow init self:process { setexec setfscreate setsockcreate };
Stephen Smalleyad0d0fc2014-05-29 09:22:16 -040096
97# Create /data/property and files within it.
98allow init property_data_file:dir create_dir_perms;
99allow init property_data_file:file create_file_perms;
Stephen Smalleybac4ccc2014-06-18 10:09:35 -0400100
Stephen Smalleyfee49152014-06-19 10:27:02 -0400101# Set any property.
102allow init property_type:property_service set;
103
Nick Kralevich0db95cc2014-06-20 21:15:56 -0700104# Run "ifup lo" to bring up the localhost interface
105allow init self:udp_socket { create ioctl };
106
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700107# This line seems suspect, as it should not really need to
108# set scheduling parameters for a kernel domain task.
109allow init kernel:process setsched;
110
Stephen Smalleybac4ccc2014-06-18 10:09:35 -0400111###
112### neverallow rules
113###
114
115# The init domain is only entered via setcon from the kernel domain,
116# never via an exec-based transition.
117neverallow { domain -kernel} init:process dyntransition;
118neverallow domain init:process transition;
119neverallow init { file_type fs_type }:file entrypoint;