blob: b833da8c0db4e992b070957306c26aa87c17a1bf [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001# init switches to init domain (via init.rc).
2type init, domain;
Stephen Smalleya523aac2014-10-24 15:56:15 -04003permissive_or_unconfined(init)
Stephen Smalley2dd4e512012-01-04 12:33:27 -05004tmpfs_domain(init)
Nick Kralevich0c9708b2013-07-10 14:46:05 -07005
Stephen Smalleya523aac2014-10-24 15:56:15 -04006# setrlimit
7allow init self:capability sys_resource;
8
9# Remove /dev/.booting, created before initial policy load or restorecon /dev.
10allow init tmpfs:file unlink;
11
12# Access pty created for fsck.
13allow init devpts:chr_file { read write open };
14
15# Create /dev/fscklogs files.
16allow init fscklogs:file create_file_perms;
17
18# Access /dev/__null__ node created prior to initial policy load.
19allow init tmpfs:chr_file write;
20
21# Access /dev/console.
22allow init console_device:chr_file rw_file_perms;
23
24# Access /dev/tty0.
25allow init tty_device:chr_file rw_file_perms;
26
27# Call mount(2).
28allow init self:capability sys_admin;
29
30# Create and mount on directories in /.
31allow init rootfs:dir create_dir_perms;
32allow init rootfs:dir mounton;
33
34# Mount on /dev/usb-ffs/adb.
35allow init device:dir mounton;
36
37# Create symlinks in /.
38allow init rootfs:lnk_file create;
39
40# Mount debugfs on /sys/kernel/debug.
41allow init sysfs:dir mounton;
42
43# Create cgroups mount points in tmpfs and mount cgroups on them.
44allow init tmpfs:dir create_dir_perms;
45allow init tmpfs:dir mounton;
46allow init cgroup:dir create_dir_perms;
47allow init cpuctl_device:dir { create mounton };
48
49# Create directories under /dev/cpuctl after chowning it to system.
50allow init self:capability dac_override;
51
52# Set system clock.
53allow init self:capability sys_time;
54
Stephen Smalley5487ca02014-02-10 16:31:04 -050055allow init self:capability { sys_rawio mknod };
56
Stephen Smalley8a0c25e2014-09-23 09:11:30 -040057# Mounting filesystems from block devices.
58allow init dev_type:blk_file r_file_perms;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040059
60# Mounting filesystems.
Stephen Smalley75e2ef92014-06-16 13:05:38 -040061# Only allow relabelto for types used in context= mount options,
62# which should all be assigned the contextmount_type attribute.
63# This can be done in device-specific policy via type or typeattribute
64# declarations.
65allow init fs_type:filesystem ~relabelto;
66allow init unlabeled:filesystem ~relabelto;
67allow init contextmount_type:filesystem relabelto;
68
69# Allow read-only access to context= mounted filesystems.
70allow init contextmount_type:dir r_dir_perms;
71allow init contextmount_type:notdevfile_class_set r_file_perms;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040072
Stephen Smalleyc626a882014-06-23 09:17:51 -040073# restorecon /adb_keys or any other rootfs files to a more specific type.
74allow init rootfs:file relabelfrom;
75
Stephen Smalleya523aac2014-10-24 15:56:15 -040076# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
77# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040078# system/core/init.rc requires at least cache_file and data_file_type.
79# init.<board>.rc files often include device-specific types, so
80# we just allow all file types except /system files here.
Stephen Smalleya523aac2014-10-24 15:56:15 -040081allow init self:capability { chown fowner fsetid };
82allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
Stephen Smalleyc4575722014-10-30 16:50:25 -040083allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
Stephen Smalleya523aac2014-10-24 15:56:15 -040084allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
85allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
86allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
Nick Kralevich03ce5122014-05-20 11:09:16 -070087allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
Stephen Smalleya523aac2014-10-24 15:56:15 -040088allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
Stephen Smalley32915652014-07-17 14:54:44 -040089allow init sysfs_type:{ dir file lnk_file } relabelto;
Stephen Smalleya523aac2014-10-24 15:56:15 -040090allow init dev_type:dir create_dir_perms;
91allow init dev_type:lnk_file create;
92
93# chown/chmod on pseudo files.
94allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
95
96# chown/chmod on devices.
Stephen Smalley1c16abd2014-11-10 12:15:33 -050097allow init { dev_type -kmem_device }:chr_file { read open setattr };
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -040098
Stephen Smalley73b03462014-05-30 09:53:00 -040099# Unlabeled file access for upgrades from 4.2.
100allow init unlabeled:dir { create_dir_perms relabelfrom };
101allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
102
Stephen Smalley3235f612014-05-30 10:25:00 -0400103# Create /data/security from init.rc post-fs-data.
104allow init security_file:dir { create setattr };
105
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -0400106# Reload policy upon setprop selinux.reload_policy 1.
Stephen Smalley3235f612014-05-30 10:25:00 -0400107r_dir_file(init, security_file)
Stephen Smalleyfea6e662013-12-06 08:05:53 -0500108allow init kernel:security load_policy;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -0400109
110# Any operation that can modify the kernel ring buffer, e.g. clear
111# or a read that consumes the messages that were read.
Nick Kralevich685e2f92014-05-28 13:48:52 -0700112allow init kernel:system syslog_mod;
Stephen Smalleya523aac2014-10-24 15:56:15 -0400113allow init self:capability2 syslog;
114
115# Triggered by chmod 0444 /sys/fs/selinux/policy.
116allow init kernel:security read_policy;
Stephen Smalleyeb1bbf22014-05-29 14:35:55 -0400117
118# Set usermodehelpers and /proc security settings.
Stephen Smalley7adb9992013-12-06 09:31:40 -0500119allow init usermodehelper:file rw_file_perms;
120allow init proc_security:file rw_file_perms;
Nick Kralevichfed8a2a2014-01-24 20:43:07 -0800121
Stephen Smalleya523aac2014-10-24 15:56:15 -0400122# Write to /proc/sys/kernel/panic_on_oops.
123allow init proc:file w_file_perms;
124
125# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
126allow init proc_net:file w_file_perms;
127allow init self:capability net_admin;
128
129# Write to /proc/sysrq-trigger.
130allow init proc_sysrq:file w_file_perms;
131
132# Reboot.
133allow init self:capability sys_boot;
134
135# Write to sysfs nodes.
136allow init sysfs_type:dir r_dir_perms;
137allow init sysfs_type:file w_file_perms;
138
Nick Kralevichfed8a2a2014-01-24 20:43:07 -0800139# Transitions to seclabel processes in init.rc
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700140domain_trans(init, rootfs, adbd)
141domain_trans(init, rootfs, healthd)
142recovery_only(`
143 domain_trans(init, rootfs, recovery)
144')
145domain_trans(init, shell_exec, shell)
146domain_trans(init, rootfs, ueventd)
147domain_trans(init, rootfs, watchdogd)
148
149# Certain domains need LD_PRELOAD passed from init.
150# https://android-review.googlesource.com/94851
Nick Kralevich8a5b28d2014-07-16 18:42:36 -0700151# For now, allow it to most domains.
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700152# TODO: scope this down.
Nick Kralevich8a5b28d2014-07-16 18:42:36 -0700153allow init { domain -lmkd }:process noatsecure;
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700154
155# Support "adb shell stop"
Stephen Smalleya523aac2014-10-24 15:56:15 -0400156allow init self:capability kill;
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700157allow init domain:process sigkill;
Nick Kralevichcd905ec2014-05-08 23:28:52 -0700158
159# Init creates keystore's directory on boot, and walks through
160# the directory as part of a recursive restorecon.
161allow init keystore_data_file:dir { open create read getattr setattr search };
162allow init keystore_data_file:file { getattr };
Stephen Smalley356f4be2014-05-23 11:26:19 -0400163
Nick Kralevichee49c0e2014-06-07 10:00:59 -0700164# Init creates /data/local/tmp at boot
165allow init shell_data_file:dir { open create read getattr setattr search };
166allow init shell_data_file:file { getattr };
167
Stephen Smalleya523aac2014-10-24 15:56:15 -0400168# Set UID and GID for services.
169allow init self:capability { setuid setgid };
170
Stephen Smalley356f4be2014-05-23 11:26:19 -0400171# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
172# setexec is for services with seclabel options.
173# setfscreate is for labeling directories and socket files.
174# setsockcreate is for labeling local/unix domain sockets.
175allow init self:process { setexec setfscreate setsockcreate };
Stephen Smalleyad0d0fc2014-05-29 09:22:16 -0400176
Stephen Smalleya523aac2014-10-24 15:56:15 -0400177# Perform SELinux access checks on setting properties.
178selinux_check_access(init)
179
180# Ask the kernel for the new context on services to label their sockets.
181allow init kernel:security compute_create;
182
183# Create sockets for the services.
184allow init domain:unix_stream_socket { create bind };
185allow init domain:unix_dgram_socket { create bind };
186
Stephen Smalleyad0d0fc2014-05-29 09:22:16 -0400187# Create /data/property and files within it.
188allow init property_data_file:dir create_dir_perms;
189allow init property_data_file:file create_file_perms;
Stephen Smalleybac4ccc2014-06-18 10:09:35 -0400190
Stephen Smalleyfee49152014-06-19 10:27:02 -0400191# Set any property.
192allow init property_type:property_service set;
193
Nick Kralevich0db95cc2014-06-20 21:15:56 -0700194# Run "ifup lo" to bring up the localhost interface
195allow init self:udp_socket { create ioctl };
Stephen Smalleya523aac2014-10-24 15:56:15 -0400196allow init self:capability net_raw;
Nick Kralevich0db95cc2014-06-20 21:15:56 -0700197
Nick Kralevicha7c04dc2014-07-03 22:13:14 -0700198# This line seems suspect, as it should not really need to
199# set scheduling parameters for a kernel domain task.
200allow init kernel:process setsched;
201
Nick Kralevichbeb279c2014-10-20 11:52:19 -0700202# swapon() needs write access to swap device
203# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
204allow init swap_block_device:blk_file rw_file_perms;
205
Stephen Smalley0d08d472014-10-21 10:09:33 -0400206# Read from /dev/hw_random if present.
207# system/core/init/init.c - mix_hwrng_into_linux_rng_action
208allow init hw_random_device:chr_file r_file_perms;
209
210# Create and access /dev files without a specific type,
Stephen Smalleya523aac2014-10-24 15:56:15 -0400211# e.g. /dev/.coldboot_done, /dev/.booting
Stephen Smalley0d08d472014-10-21 10:09:33 -0400212# TODO: Move these files into their own type unless they are
213# only ever accessed by init.
214allow init device:file create_file_perms;
215auditallow init device:file create_file_perms;
216
217# Access character devices without a specific type,
218# e.g. /dev/keychord.
219# TODO: Move these devices into their own type unless they
220# are only ever accessed by init.
221allow init device:chr_file { rw_file_perms setattr };
222auditallow init device:chr_file { rw_file_perms setattr };
223
Stephen Smalleya523aac2014-10-24 15:56:15 -0400224# keychord configuration
225allow init self:capability sys_tty_config;
226
Stephen Smalleybac4ccc2014-06-18 10:09:35 -0400227###
228### neverallow rules
229###
230
231# The init domain is only entered via setcon from the kernel domain,
232# never via an exec-based transition.
233neverallow { domain -kernel} init:process dyntransition;
234neverallow domain init:process transition;
235neverallow init { file_type fs_type }:file entrypoint;
Stephen Smalley018e9402014-09-02 17:05:44 -0400236
237# Never read/follow symlinks created by shell or untrusted apps.
238neverallow init shell_data_file:lnk_file read;
239neverallow init app_data_file:lnk_file read;
Stephen Smalley8a0c25e2014-09-23 09:11:30 -0400240
241# init should never execute a program without changing to another domain.
242neverallow init { file_type fs_type }:file execute_no_trans;