Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # Life begins with the kernel. |
| 2 | type kernel, domain; |
Nick Kralevich | fed8a2a | 2014-01-24 20:43:07 -0800 | [diff] [blame] | 3 | |
Stephen Smalley | f3c3a1a | 2014-06-19 09:07:17 -0400 | [diff] [blame] | 4 | # Run /init before we have switched domains. |
| 5 | allow kernel rootfs:file execute_no_trans; |
| 6 | |
Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 7 | # setcon to init domain. |
| 8 | allow kernel self:process setcurrent; |
Nick Kralevich | fed8a2a | 2014-01-24 20:43:07 -0800 | [diff] [blame] | 9 | allow kernel init:process dyntransition; |
| 10 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 11 | # The kernel is unconfined. |
| 12 | unconfined_domain(kernel) |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 13 | |
Stephen Smalley | 73b0346 | 2014-05-30 09:53:00 -0400 | [diff] [blame] | 14 | # cgroup filesystem initialization prior to setting the cgroup root directory label. |
| 15 | allow kernel unlabeled:dir search; |
| 16 | |
Stephen Smalley | 718bf84 | 2014-06-18 10:31:27 -0400 | [diff] [blame] | 17 | # Mount usbfs. |
| 18 | allow kernel usbfs:filesystem mount; |
| 19 | |
Stephen Smalley | eb1bbf2 | 2014-05-29 14:35:55 -0400 | [diff] [blame] | 20 | # init direct restorecon calls prior to switching to init domain |
| 21 | # /dev and /dev/socket |
| 22 | allow kernel { device socket_device }:dir relabelto; |
| 23 | # /dev/__properties__ |
| 24 | allow kernel properties_device:file relabelto; |
| 25 | # /sys |
| 26 | allow kernel sysfs:{ dir file lnk_file } relabelfrom; |
| 27 | allow kernel sysfs_type:{ dir file lnk_file } relabelto; |
Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 28 | |
| 29 | # Initial setenforce by init prior to switching to init domain. |
Nick Kralevich | abae8a9 | 2014-05-12 14:32:59 -0700 | [diff] [blame] | 30 | # We use dontaudit instead of allow to prevent a kernel spawned userspace |
| 31 | # process from turning off SELinux once enabled. |
| 32 | dontaudit kernel self:security setenforce; |
Stephen Smalley | 8b51674 | 2014-01-08 09:29:30 -0500 | [diff] [blame] | 33 | |
| 34 | # Set checkreqprot by init.rc prior to switching to init domain. |
| 35 | allow kernel self:security setcheckreqprot; |
Stephen Smalley | bac4ccc | 2014-06-18 10:09:35 -0400 | [diff] [blame] | 36 | |
Nick Kralevich | 28b26bc | 2014-08-27 12:13:28 -0700 | [diff] [blame] | 37 | # MTP sync (b/15835289) |
| 38 | # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) |
| 39 | allow kernel sdcard_type:file { read write }; |
Stephen Smalley | eb6b74f | 2014-06-24 13:18:02 -0400 | [diff] [blame] | 40 | |
Nick Kralevich | b0a9951 | 2014-09-09 14:12:18 -0700 | [diff] [blame] | 41 | # Allow the kernel to read OBB files from app directories. (b/17428116) |
| 42 | # Kernel thread "loop0" reads a vold supplied file descriptor. |
| 43 | # Fixes CTS tests: |
| 44 | # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal |
| 45 | # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs |
| 46 | allow kernel app_data_file:file read; |
| 47 | |
Stephen Smalley | bac4ccc | 2014-06-18 10:09:35 -0400 | [diff] [blame] | 48 | ### |
| 49 | ### neverallow rules |
| 50 | ### |
| 51 | |
| 52 | # The initial task starts in the kernel domain (assigned via |
| 53 | # initial_sid_contexts), but nothing ever transitions to it. |
| 54 | neverallow domain kernel:process { transition dyntransition }; |
Stephen Smalley | f3c3a1a | 2014-06-19 09:07:17 -0400 | [diff] [blame] | 55 | |
| 56 | # The kernel domain is never entered via an exec, nor should it |
| 57 | # ever execute a program outside the rootfs without changing to another domain. |
| 58 | # If you encounter an execute_no_trans denial on the kernel domain, then |
| 59 | # possible causes include: |
| 60 | # - The program is a kernel usermodehelper. In this case, define a domain |
| 61 | # for the program and domain_auto_trans() to it. |
| 62 | # - You failed to setcon u:r:init:s0 in your init.rc and thus your init |
| 63 | # program was left in the kernel domain and is now trying to execute |
| 64 | # some other program. Fix your init.rc file. |
| 65 | # - You are running an exploit which switched to the init task credentials |
| 66 | # and is then trying to exec a shell or other program. You lose! |
| 67 | neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans }; |