1# init is its own domain.
2type init, domain, mlstrustedsubject;
3
4# The init domain is entered by execing init.
5type init_exec, exec_type, file_type;
6
7# /dev/__null__ node created by init.
8allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
9
10#
11# init direct restorecon calls.
12#
13# /dev/kmsg
14allow init tmpfs:chr_file relabelfrom;
15allow init kmsg_device:chr_file { write relabelto };
16# /dev/kmsg_debug
17userdebug_or_eng(`
18  allow init kmsg_debug_device:chr_file { write relabelto };
19')
20# /dev/__properties__
21allow init properties_device:dir relabelto;
22allow init properties_serial:file { write relabelto };
23allow init property_type:file { create_file_perms relabelto };
24# /dev/event-log-tags
25allow init device:file relabelfrom;
26allow init runtime_event_log_tags_file:file { open write setattr relabelto };
27# /dev/socket
28allow init { device socket_device }:dir relabelto;
29# /dev/random, /dev/urandom
30allow init random_device:chr_file relabelto;
31# /dev/device-mapper, /dev/block(/.*)?
32allow init tmpfs:{ chr_file blk_file } relabelfrom;
33allow init tmpfs:blk_file getattr;
34allow init block_device:{ dir blk_file lnk_file } relabelto;
35allow init dm_device:{ chr_file blk_file } relabelto;
36allow init kernel:fd use;
37# restorecon for early mount device symlinks
38allow init tmpfs:lnk_file { getattr read relabelfrom };
39allow init system_block_device:{ blk_file lnk_file } relabelto;
40
41# setrlimit
42allow init self:capability sys_resource;
43
44# Remove /dev/.booting, created before initial policy load or restorecon /dev.
45allow init tmpfs:file unlink;
46
47# Access pty created for fsck.
48allow init devpts:chr_file { read write open };
49
50# Create /dev/fscklogs files.
51allow init fscklogs:file create_file_perms;
52
53# Access /dev/__null__ node created prior to initial policy load.
54allow init tmpfs:chr_file write;
55
56# Access /dev/console.
57allow init console_device:chr_file rw_file_perms;
58
59# Access /dev/tty0.
60allow init tty_device:chr_file rw_file_perms;
61
62# Call mount(2).
63allow init self:capability sys_admin;
64
65# Create and mount on directories in /.
66allow init rootfs:dir create_dir_perms;
67allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
68
69# Mount on /dev/usb-ffs/adb.
70allow init device:dir mounton;
71
72# Create and remove symlinks in /.
73allow init rootfs:lnk_file { create unlink };
74
75# Mount debugfs on /sys/kernel/debug.
76allow init sysfs:dir mounton;
77
78# Create cgroups mount points in tmpfs and mount cgroups on them.
79allow init tmpfs:dir create_dir_perms;
80allow init tmpfs:dir mounton;
81allow init cgroup:dir create_dir_perms;
82r_dir_file(init, cgroup)
83allow init cpuctl_device:dir { create mounton };
84
85# /config
86allow init configfs:dir mounton;
87allow init configfs:dir create_dir_perms;
88allow init configfs:{ file lnk_file } create_file_perms;
89
90# Use tmpfs as /data, used for booting when /data is encrypted
91allow init tmpfs:dir relabelfrom;
92
93# Create directories under /dev/cpuctl after chowning it to system.
94allow init self:capability dac_override;
95
96# Set system clock.
97allow init self:capability sys_time;
98
99allow init self:capability { sys_rawio mknod };
100
101# Mounting filesystems from block devices.
102allow init dev_type:blk_file r_file_perms;
103
104# Mounting filesystems.
105# Only allow relabelto for types used in context= mount options,
106# which should all be assigned the contextmount_type attribute.
107# This can be done in device-specific policy via type or typeattribute
108# declarations.
109allow init fs_type:filesystem ~relabelto;
110allow init unlabeled:filesystem ~relabelto;
111allow init contextmount_type:filesystem relabelto;
112
113# Allow read-only access to context= mounted filesystems.
114allow init contextmount_type:dir r_dir_perms;
115allow init contextmount_type:notdevfile_class_set r_file_perms;
116
117# restorecon /adb_keys or any other rootfs files and directories to a more
118# specific type.
119allow init rootfs:{ dir file } relabelfrom;
120
121# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
122# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
123# system/core/init.rc requires at least cache_file and data_file_type.
124# init.<board>.rc files often include device-specific types, so
125# we just allow all file types except /system files here.
126allow init self:capability { chown fowner fsetid };
127
128allow init {
129  file_type
130  -app_data_file
131  -exec_type
132  -misc_logd_file
133  -system_app_data_file
134  -system_file
135  -vendor_file_type
136}:dir { create search getattr open read setattr ioctl };
137
138allow init {
139  file_type
140  -app_data_file
141  -exec_type
142  -keystore_data_file
143  -misc_logd_file
144  -shell_data_file
145  -system_app_data_file
146  -system_file
147  -vendor_file_type
148  -vold_data_file
149}:dir { write add_name remove_name rmdir relabelfrom };
150
151allow init {
152  file_type
153  -app_data_file
154  -runtime_event_log_tags_file
155  -exec_type
156  -keystore_data_file
157  -misc_logd_file
158  -shell_data_file
159  -system_app_data_file
160  -system_file
161  -vendor_file_type
162  -vold_data_file
163}:file { create getattr open read write setattr relabelfrom unlink };
164
165allow init {
166  file_type
167  -app_data_file
168  -exec_type
169  -keystore_data_file
170  -misc_logd_file
171  -shell_data_file
172  -system_app_data_file
173  -system_file
174  -vendor_file_type
175  -vold_data_file
176}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
177
178allow init {
179  file_type
180  -app_data_file
181  -exec_type
182  -keystore_data_file
183  -misc_logd_file
184  -shell_data_file
185  -system_app_data_file
186  -system_file
187  -vendor_file_type
188  -vold_data_file
189}:lnk_file { create getattr setattr relabelfrom unlink };
190
191allow init cache_file:lnk_file r_file_perms;
192
193allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
194allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
195allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
196allow init dev_type:dir create_dir_perms;
197allow init dev_type:lnk_file create;
198
199# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
200allow init debugfs_tracing:file w_file_perms;
201
202# Setup and control wifi event tracing (see wifi-events.rc)
203allow init debugfs_tracing_instances:dir create_dir_perms;
204allow init debugfs_tracing_instances:file w_file_perms;
205allow init debugfs_wifi_tracing:file w_file_perms;
206
207# chown/chmod on pseudo files.
208allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
209allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
210
211# init should not be able to read or open generic devices
212# TODO: auditing to see if this can be deleted entirely
213allow init {
214  dev_type
215  -kmem_device
216  -port_device
217  -device
218  -vndbinder_device
219  }:chr_file { read open };
220auditallow init {
221  dev_type
222  -alarm_device
223  -ashmem_device
224  -binder_device
225  -console_device
226  -device
227  -devpts
228  -dm_device
229  -hwbinder_device
230  -hw_random_device
231  -keychord_device
232  -kmem_device
233  -kmsg_device
234  -null_device
235  -owntty_device
236  -port_device
237  -ptmx_device
238  -random_device
239  -zero_device
240}:chr_file { read open };
241
242# chown/chmod on devices.
243allow init { dev_type -kmem_device -port_device }:chr_file setattr;
244
245# Unlabeled file access for upgrades from 4.2.
246allow init unlabeled:dir { create_dir_perms relabelfrom };
247allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
248
249# Any operation that can modify the kernel ring buffer, e.g. clear
250# or a read that consumes the messages that were read.
251allow init kernel:system syslog_mod;
252allow init self:capability2 syslog;
253
254# Set usermodehelpers and /proc security settings.
255allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
256allow init proc_security:file rw_file_perms;
257
258# Write to /proc/sys/kernel/panic_on_oops.
259r_dir_file(init, proc)
260allow init proc:file w_file_perms;
261
262# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
263r_dir_file(init, proc_net)
264allow init proc_net:file w_file_perms;
265allow init self:capability net_admin;
266
267# Write to /proc/sysrq-trigger.
268allow init proc_sysrq:file w_file_perms;
269
270# Read /proc/stat for bootchart.
271allow init proc_stat:file r_file_perms;
272
273# Reboot.
274allow init self:capability sys_boot;
275
276# Write to sysfs nodes.
277allow init sysfs_type:dir r_dir_perms;
278allow init sysfs_type:lnk_file read;
279allow init sysfs_type:file rw_file_perms;
280
281# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
282# Init will also walk through the directory as part of a recursive restorecon.
283allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
284allow init misc_logd_file:file { open create getattr setattr write };
285
286# Support "adb shell stop"
287allow init self:capability kill;
288allow init domain:process { getpgid sigkill signal };
289
290# Init creates keystore's directory on boot, and walks through
291# the directory as part of a recursive restorecon.
292allow init keystore_data_file:dir { open create read getattr setattr search };
293allow init keystore_data_file:file { getattr };
294
295# Init creates vold's directory on boot, and walks through
296# the directory as part of a recursive restorecon.
297allow init vold_data_file:dir { open create read getattr setattr search };
298allow init vold_data_file:file { getattr };
299
300# Init creates /data/local/tmp at boot
301allow init shell_data_file:dir { open create read getattr setattr search };
302allow init shell_data_file:file { getattr };
303
304# Set UID, GID, and adjust capability bounding set for services.
305allow init self:capability { setuid setgid setpcap };
306
307# For bootchart to read the /proc/$pid/cmdline file of each process,
308# we need to have following line to allow init to have access
309# to different domains.
310r_dir_file(init, domain)
311
312# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
313# setexec is for services with seclabel options.
314# setfscreate is for labeling directories and socket files.
315# setsockcreate is for labeling local/unix domain sockets.
316allow init self:process { setexec setfscreate setsockcreate };
317
318# Get file context
319allow init file_contexts_file:file r_file_perms;
320
321# sepolicy access
322allow init sepolicy_file:file r_file_perms;
323
324# Perform SELinux access checks on setting properties.
325selinux_check_access(init)
326
327# Ask the kernel for the new context on services to label their sockets.
328allow init kernel:security compute_create;
329
330# Create sockets for the services.
331allow init domain:unix_stream_socket { create bind setopt };
332allow init domain:unix_dgram_socket { create bind setopt };
333
334# Create /data/property and files within it.
335allow init property_data_file:dir create_dir_perms;
336allow init property_data_file:file create_file_perms;
337
338# Set any property.
339allow init property_type:property_service set;
340
341# Send an SELinux userspace denial to the kernel audit subsystem,
342# so it can be picked up and processed by logd. These denials are
343# generated when an attempt to set a property is denied by policy.
344allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
345allow init self:capability audit_write;
346
347# Run "ifup lo" to bring up the localhost interface
348allow init self:udp_socket { create ioctl };
349# in addition to unpriv ioctls granted to all domains, init also needs:
350allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
351allow init self:capability net_raw;
352
353# This line seems suspect, as it should not really need to
354# set scheduling parameters for a kernel domain task.
355allow init kernel:process setsched;
356
357# swapon() needs write access to swap device
358# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
359allow init swap_block_device:blk_file rw_file_perms;
360
361# Read from /dev/hw_random if present.
362# system/core/init/init.c - mix_hwrng_into_linux_rng_action
363allow init hw_random_device:chr_file r_file_perms;
364
365# Create and access /dev files without a specific type,
366# e.g. /dev/.coldboot_done, /dev/.booting
367# TODO:  Move these files into their own type unless they are
368# only ever accessed by init.
369allow init device:file create_file_perms;
370
371# keychord configuration
372allow init self:capability sys_tty_config;
373allow init keychord_device:chr_file rw_file_perms;
374
375# Access device mapper for setting up dm-verity
376allow init dm_device:chr_file rw_file_perms;
377allow init dm_device:blk_file rw_file_perms;
378
379# Access metadata block device for storing dm-verity state
380allow init metadata_block_device:blk_file rw_file_perms;
381
382# Read /sys/fs/pstore/console-ramoops to detect restarts caused
383# by dm-verity detecting corrupted blocks
384allow init pstorefs:dir search;
385allow init pstorefs:file r_file_perms;
386allow init kernel:system syslog_read;
387
388# linux keyring configuration
389allow init init:key { write search setattr };
390
391# Allow init to create /data/unencrypted
392allow init unencrypted_data_file:dir create_dir_perms;
393
394# Allow init to write to /proc/sys/vm/overcommit_memory
395allow init proc_overcommit_memory:file { write };
396
397unix_socket_connect(init, vold, vold)
398
399# Raw writes to misc block device
400allow init misc_block_device:blk_file w_file_perms;
401
402r_dir_file(init, system_file)
403r_dir_file(init, vendor_file_type)
404allow init proc_meminfo:file r_file_perms;
405
406allow init system_data_file:file { getattr read };
407allow init system_data_file:lnk_file r_file_perms;
408
409# For init to be able to run shell scripts from vendor
410allow init vendor_shell_exec:file execute;
411
412###
413### neverallow rules
414###
415
416# The init domain is only entered via an exec based transition from the
417# kernel domain, never via setcon().
418neverallow domain init:process dyntransition;
419neverallow { domain -kernel } init:process transition;
420neverallow init { file_type fs_type -init_exec }:file entrypoint;
421
422# Never read/follow symlinks created by shell or untrusted apps.
423neverallow init shell_data_file:lnk_file read;
424neverallow init app_data_file:lnk_file read;
425
426# init should never execute a program without changing to another domain.
427neverallow init { file_type fs_type }:file execute_no_trans;
428
429# Init never adds or uses services via service_manager.
430neverallow init service_manager_type:service_manager { add find };
431neverallow init servicemanager:service_manager list;
432
433# Init should not be creating subdirectories in /data/local/tmp
434neverallow init shell_data_file:dir { write add_name remove_name };
435