1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { write relabelto };
18')
19# /dev/__properties__
20allow init properties_device:dir relabelto;
21allow init properties_serial:file { write relabelto };
22allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
23# /dev/__properties__/property_info
24allow init properties_device:file create_file_perms;
25allow init property_info:file relabelto;
26# /dev/event-log-tags
27allow init device:file relabelfrom;
28allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
29# /dev/socket
30allow init { device socket_device }:dir relabelto;
31# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
32allow init { null_device ptmx_device random_device } : chr_file relabelto;
33# /dev/device-mapper, /dev/block(/.*)?
34allow init tmpfs:{ chr_file blk_file } relabelfrom;
35allow init tmpfs:blk_file getattr;
36allow init block_device:{ dir blk_file lnk_file } relabelto;
37allow init dm_device:{ chr_file blk_file } relabelto;
38allow init kernel:fd use;
39# restorecon for early mount device symlinks
40allow init tmpfs:lnk_file { getattr read relabelfrom };
41allow init {
42  metadata_block_device
43  misc_block_device
44  recovery_block_device
45  system_block_device
46  userdata_block_device
47}:{ blk_file lnk_file } relabelto;
48
49# setrlimit
50allow init self:global_capability_class_set sys_resource;
51
52# Remove /dev/.booting and load /debug_ramdisk/* files
53allow init tmpfs:file { getattr unlink };
54
55# Access pty created for fsck.
56allow init devpts:chr_file { read write open };
57
58# Create /dev/fscklogs files.
59allow init fscklogs:file create_file_perms;
60
61# Access /dev/__null__ node created prior to initial policy load.
62allow init tmpfs:chr_file write;
63
64# Access /dev/console.
65allow init console_device:chr_file rw_file_perms;
66
67# Access /dev/tty0.
68allow init tty_device:chr_file rw_file_perms;
69
70# Call mount(2).
71allow init self:global_capability_class_set sys_admin;
72
73# Call setns(2).
74allow init self:global_capability_class_set sys_chroot;
75
76# Create and mount on directories in /.
77allow init rootfs:dir create_dir_perms;
78allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
79allow init cgroup_bpf:dir { create mounton };
80
81# Mount bpf fs on sys/fs/bpf
82allow init fs_bpf:dir mounton;
83
84# Mount on /dev/usb-ffs/adb.
85allow init device:dir mounton;
86
87# Mount tmpfs on /apex
88allow init apex_mnt_dir:dir mounton;
89
90# Create and remove symlinks in /.
91allow init rootfs:lnk_file { create unlink };
92
93# Mount debugfs on /sys/kernel/debug.
94allow init sysfs:dir mounton;
95
96# Create cgroups mount points in tmpfs and mount cgroups on them.
97allow init tmpfs:dir create_dir_perms;
98allow init tmpfs:dir mounton;
99allow init cgroup:dir create_dir_perms;
100allow init cgroup:file rw_file_perms;
101allow init cgroup_rc_file:file rw_file_perms;
102allow init cgroup_desc_file:file r_file_perms;
103allow init vendor_cgroup_desc_file:file r_file_perms;
104
105# /config
106allow init configfs:dir mounton;
107allow init configfs:dir create_dir_perms;
108allow init configfs:{ file lnk_file } create_file_perms;
109
110# /metadata
111allow init metadata_file:dir mounton;
112
113# Use tmpfs as /data, used for booting when /data is encrypted
114allow init tmpfs:dir relabelfrom;
115
116# Create directories under /dev/cpuctl after chowning it to system.
117allow init self:global_capability_class_set { dac_override dac_read_search };
118
119# Set system clock.
120allow init self:global_capability_class_set sys_time;
121
122allow init self:global_capability_class_set { sys_rawio mknod };
123
124# Mounting filesystems from block devices.
125allow init dev_type:blk_file r_file_perms;
126allowxperm init dev_type:blk_file ioctl BLKROSET;
127
128# Mounting filesystems.
129# Only allow relabelto for types used in context= mount options,
130# which should all be assigned the contextmount_type attribute.
131# This can be done in device-specific policy via type or typeattribute
132# declarations.
133allow init fs_type:filesystem ~relabelto;
134allow init unlabeled:filesystem ~relabelto;
135allow init contextmount_type:filesystem relabelto;
136
137# Allow read-only access to context= mounted filesystems.
138allow init contextmount_type:dir r_dir_perms;
139allow init contextmount_type:notdevfile_class_set r_file_perms;
140
141# restorecon /adb_keys or any other rootfs files and directories to a more
142# specific type.
143allow init rootfs:{ dir file } relabelfrom;
144
145# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
146# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
147# system/core/init.rc requires at least cache_file and data_file_type.
148# init.<board>.rc files often include device-specific types, so
149# we just allow all file types except /system files here.
150allow init self:global_capability_class_set { chown fowner fsetid };
151
152allow init {
153  file_type
154  -app_data_file
155  -exec_type
156  -misc_logd_file
157  -nativetest_data_file
158  -privapp_data_file
159  -system_app_data_file
160  -system_file_type
161  -vendor_file_type
162}:dir { create search getattr open read setattr ioctl };
163
164allow init {
165  file_type
166  -app_data_file
167  -exec_type
168  -gsi_data_file
169  -iorapd_data_file
170  -keystore_data_file
171  -misc_logd_file
172  -nativetest_data_file
173  -privapp_data_file
174  -shell_data_file
175  -system_app_data_file
176  -system_file_type
177  -vendor_file_type
178  -vold_data_file
179}:dir { write add_name remove_name rmdir relabelfrom };
180
181allow init {
182  file_type
183  -app_data_file
184  -exec_type
185  -gsi_data_file
186  -iorapd_data_file
187  -keystore_data_file
188  -misc_logd_file
189  -nativetest_data_file
190  -privapp_data_file
191  -runtime_event_log_tags_file
192  -shell_data_file
193  -system_app_data_file
194  -system_file_type
195  -vendor_file_type
196  -vold_data_file
197}:file { create getattr open read write setattr relabelfrom unlink map };
198
199allow init {
200  file_type
201  -app_data_file
202  -exec_type
203  -gsi_data_file
204  -iorapd_data_file
205  -keystore_data_file
206  -misc_logd_file
207  -nativetest_data_file
208  -privapp_data_file
209  -shell_data_file
210  -system_app_data_file
211  -system_file_type
212  -vendor_file_type
213  -vold_data_file
214}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
215
216allow init {
217  file_type
218  -apex_mnt_dir
219  -app_data_file
220  -exec_type
221  -gsi_data_file
222  -iorapd_data_file
223  -keystore_data_file
224  -misc_logd_file
225  -nativetest_data_file
226  -privapp_data_file
227  -shell_data_file
228  -system_app_data_file
229  -system_file_type
230  -vendor_file_type
231  -vold_data_file
232}:lnk_file { create getattr setattr relabelfrom unlink };
233
234allow init cache_file:lnk_file r_file_perms;
235
236allow init {
237  file_type
238  -system_file_type
239  -vendor_file_type
240  -exec_type
241  -app_data_file
242  -privapp_data_file
243}:dir_file_class_set relabelto;
244
245allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
246allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
247allow init dev_type:dir create_dir_perms;
248allow init dev_type:lnk_file create;
249
250# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
251allow init debugfs_tracing:file w_file_perms;
252
253# Setup and control wifi event tracing (see wifi-events.rc)
254allow init debugfs_tracing_instances:dir create_dir_perms;
255allow init debugfs_tracing_instances:file w_file_perms;
256allow init debugfs_wifi_tracing:file w_file_perms;
257
258# chown/chmod on pseudo files.
259allow init {
260  fs_type
261  -contextmount_type
262  -keychord_device
263  -proc_type
264  -sdcard_type
265  -sysfs_type
266  -rootfs
267}:file { open read setattr };
268allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
269
270allow init {
271  ashmem_device
272  binder_device
273  console_device
274  devpts
275  dm_device
276  hwbinder_device
277  hw_random_device
278  input_device
279  kmsg_device
280  null_device
281  owntty_device
282  pmsg_device
283  ptmx_device
284  random_device
285  tty_device
286  zero_device
287}:chr_file { read open };
288
289# chown/chmod on devices.
290allow init {
291  dev_type
292  -keychord_device
293  -port_device
294}:chr_file setattr;
295
296# Unlabeled file access for upgrades from 4.2.
297allow init unlabeled:dir { create_dir_perms relabelfrom };
298allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
299
300# Any operation that can modify the kernel ring buffer, e.g. clear
301# or a read that consumes the messages that were read.
302allow init kernel:system syslog_mod;
303allow init self:global_capability2_class_set syslog;
304
305# init access to /proc.
306r_dir_file(init, proc_net_type)
307allow init proc_filesystems:file r_file_perms;
308
309userdebug_or_eng(`
310  # Overlayfs workdir write access check during mount to permit remount,rw
311  allow init overlayfs_file:dir { relabelfrom mounton write };
312  allow init overlayfs_file:file { append };
313  allow init system_block_device:blk_file { write };
314')
315
316allow init {
317  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
318  proc_cmdline
319  proc_diskstats
320  proc_kmsg # Open /proc/kmsg for logd service.
321  proc_meminfo
322  proc_stat # Read /proc/stat for bootchart.
323  proc_uptime
324  proc_version
325}:file r_file_perms;
326
327allow init {
328  proc_abi
329  proc_dirty
330  proc_hostname
331  proc_hung_task
332  proc_extra_free_kbytes
333  proc_net_type
334  proc_max_map_count
335  proc_min_free_order_shift
336  proc_overcommit_memory
337  proc_panic
338  proc_page_cluster
339  proc_perf
340  proc_sched
341  proc_sysrq
342}:file w_file_perms;
343
344allow init {
345  proc_security
346}:file rw_file_perms;
347
348# init chmod/chown access to /proc files.
349allow init {
350  proc_cmdline
351  proc_kmsg
352  proc_net
353  proc_qtaguid_stat
354  proc_slabinfo
355  proc_sysrq
356  proc_qtaguid_ctrl
357  proc_vmallocinfo
358}:file setattr;
359
360# init access to /sys files.
361allow init {
362  sysfs_android_usb
363  sysfs_leds
364  sysfs_power
365  sysfs_fs_f2fs
366  sysfs_dm
367}:file w_file_perms;
368
369allow init {
370  sysfs_dt_firmware_android
371  sysfs_fs_ext4_features
372}:file r_file_perms;
373
374allow init {
375  sysfs_zram
376}:file rw_file_perms;
377
378# allow init to create loop devices with /dev/loop-control
379allow init loop_control_device:chr_file rw_file_perms;
380allow init loop_device:blk_file rw_file_perms;
381allowxperm init loop_device:blk_file ioctl {
382  LOOP_SET_FD
383  LOOP_CLR_FD
384  LOOP_CTL_GET_FREE
385  LOOP_SET_BLOCK_SIZE
386  LOOP_SET_DIRECT_IO
387};
388
389# Allow init to write to vibrator/trigger
390allow init sysfs_vibrator:file w_file_perms;
391
392# init chmod/chown access to /sys files.
393allow init {
394  sysfs_android_usb
395  sysfs_devices_system_cpu
396  sysfs_ipv4
397  sysfs_leds
398  sysfs_lowmemorykiller
399  sysfs_power
400  sysfs_vibrator
401  sysfs_wake_lock
402  sysfs_zram
403}:file setattr;
404
405# Set usermodehelpers.
406allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
407
408allow init self:global_capability_class_set net_admin;
409
410# Reboot.
411allow init self:global_capability_class_set sys_boot;
412
413# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
414# Init will also walk through the directory as part of a recursive restorecon.
415allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
416allow init misc_logd_file:file { open create getattr setattr write };
417
418# Support "adb shell stop"
419allow init self:global_capability_class_set kill;
420allow init domain:process { getpgid sigkill signal };
421
422# Init creates keystore's directory on boot, and walks through
423# the directory as part of a recursive restorecon.
424allow init keystore_data_file:dir { open create read getattr setattr search };
425allow init keystore_data_file:file { getattr };
426
427# Init creates vold's directory on boot, and walks through
428# the directory as part of a recursive restorecon.
429allow init vold_data_file:dir { open create read getattr setattr search };
430allow init vold_data_file:file { getattr };
431
432# Init creates /data/local/tmp at boot
433allow init shell_data_file:dir { open create read getattr setattr search };
434allow init shell_data_file:file { getattr };
435
436# Set UID, GID, and adjust capability bounding set for services.
437allow init self:global_capability_class_set { setuid setgid setpcap };
438
439# For bootchart to read the /proc/$pid/cmdline file of each process,
440# we need to have following line to allow init to have access
441# to different domains.
442r_dir_file(init, domain)
443
444# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
445# setexec is for services with seclabel options.
446# setfscreate is for labeling directories and socket files.
447# setsockcreate is for labeling local/unix domain sockets.
448allow init self:process { setexec setfscreate setsockcreate };
449
450# Get file context
451allow init file_contexts_file:file r_file_perms;
452
453# sepolicy access
454allow init sepolicy_file:file r_file_perms;
455
456# Perform SELinux access checks on setting properties.
457selinux_check_access(init)
458
459# Ask the kernel for the new context on services to label their sockets.
460allow init kernel:security compute_create;
461
462# Create sockets for the services.
463allow init domain:unix_stream_socket { create bind setopt };
464allow init domain:unix_dgram_socket { create bind setopt };
465
466# Create /data/property and files within it.
467allow init property_data_file:dir create_dir_perms;
468allow init property_data_file:file create_file_perms;
469
470# Set any property.
471allow init property_type:property_service set;
472
473# Send an SELinux userspace denial to the kernel audit subsystem,
474# so it can be picked up and processed by logd. These denials are
475# generated when an attempt to set a property is denied by policy.
476allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
477allow init self:global_capability_class_set audit_write;
478
479# Run "ifup lo" to bring up the localhost interface
480allow init self:udp_socket { create ioctl };
481# in addition to unpriv ioctls granted to all domains, init also needs:
482allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
483allow init self:global_capability_class_set net_raw;
484
485# Set scheduling info for psi monitor thread.
486allow init kernel:process { getsched setsched };
487
488# swapon() needs write access to swap device
489# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
490allow init swap_block_device:blk_file rw_file_perms;
491
492# Read from /dev/hw_random if present.
493# system/core/init/init.c - mix_hwrng_into_linux_rng_action
494allow init hw_random_device:chr_file r_file_perms;
495
496# Create and access /dev files without a specific type,
497# e.g. /dev/.coldboot_done, /dev/.booting
498# TODO:  Move these files into their own type unless they are
499# only ever accessed by init.
500allow init device:file create_file_perms;
501
502# keychord retrieval from /dev/input/ devices
503allow init input_device:dir r_dir_perms;
504allow init input_device:chr_file rw_file_perms;
505
506# Access device mapper for setting up dm-verity
507allow init dm_device:chr_file rw_file_perms;
508allow init dm_device:blk_file rw_file_perms;
509
510# Access metadata block device for storing dm-verity state
511allow init metadata_block_device:blk_file rw_file_perms;
512
513# Read /sys/fs/pstore/console-ramoops to detect restarts caused
514# by dm-verity detecting corrupted blocks
515allow init pstorefs:dir search;
516allow init pstorefs:file r_file_perms;
517allow init kernel:system syslog_read;
518
519# linux keyring configuration
520allow init init:key { write search setattr };
521
522# Allow init to create /data/unencrypted
523allow init unencrypted_data_file:dir create_dir_perms;
524
525# Set encryption policy on dirs in /data
526allowxperm init data_file_type:dir ioctl {
527  FS_IOC_GET_ENCRYPTION_POLICY
528  FS_IOC_SET_ENCRYPTION_POLICY
529};
530
531# Allow init to write to /proc/sys/vm/overcommit_memory
532allow init proc_overcommit_memory:file { write };
533
534# Raw writes to misc block device
535allow init misc_block_device:blk_file w_file_perms;
536
537r_dir_file(init, system_file)
538r_dir_file(init, vendor_file_type)
539
540allow init system_data_file:file { getattr read };
541allow init system_data_file:lnk_file r_file_perms;
542
543# For init to be able to run shell scripts from vendor
544allow init vendor_shell_exec:file execute;
545
546# Metadata setup
547allow init vold_metadata_file:dir create_dir_perms;
548allow init vold_metadata_file:file getattr;
549
550# Allow init to use binder
551binder_use(init);
552allow init apex_service:service_manager find;
553# Allow servicemanager to pass it
554allow servicemanager init:binder transfer;
555# Allow calls from init to apexd
556allow init apexd:binder call;
557
558# Allow init to touch PSI monitors
559allow init proc_pressure_mem:file { rw_file_perms setattr };
560
561# init is using bootstrap bionic
562allow init system_bootstrap_lib_file:dir r_dir_perms;
563allow init system_bootstrap_lib_file:file { execute read open getattr map };
564
565###
566### neverallow rules
567###
568
569# The init domain is only entered via an exec based transition from the
570# kernel domain, never via setcon().
571neverallow domain init:process dyntransition;
572neverallow { domain -kernel } init:process transition;
573neverallow init { file_type fs_type -init_exec }:file entrypoint;
574
575# Never read/follow symlinks created by shell or untrusted apps.
576neverallow init shell_data_file:lnk_file read;
577neverallow init { app_data_file privapp_data_file }:lnk_file read;
578
579# init should never execute a program without changing to another domain.
580neverallow init { file_type fs_type }:file execute_no_trans;
581
582# init can only find the APEX service
583neverallow init { service_manager_type -apex_service }:service_manager { find };
584# init can never add binder services
585neverallow init service_manager_type:service_manager { add };
586# init can never list binder services
587neverallow init servicemanager:service_manager list;
588
589# Init should not be creating subdirectories in /data/local/tmp
590neverallow init shell_data_file:dir { write add_name remove_name };
591
592# Init should not access sysfs node that are not explicitly labeled.
593neverallow init sysfs:file { open read write };
594
595# No domain should be allowed to ptrace init.
596neverallow * init:process ptrace;
597