init.te 4.24 KB
Newer Older
Stephen Smalley's avatar
Stephen Smalley committed
1 2 3 4 5
# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
6

7 8
allow init self:capability { sys_rawio mknod };

9 10 11 12 13 14
# Run helpers from / or /system without changing domain.
# We do not include exec_type here since generally those
# should always involve a domain transition.
allow init rootfs:file execute_no_trans;
allow init system_file:file execute_no_trans;

15
# Running e2fsck or mkswap via fs_mgr.
16
allow init dev_type:blk_file rw_file_perms;
17 18

# Mounting filesystems.
19 20 21 22 23 24 25 26 27 28 29
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;

# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
30

31 32 33
# restorecon /adb_keys or any other rootfs files to a more specific type.
allow init rootfs:file relabelfrom;

34 35 36 37
# restorecon and restorecon_recursive calls from init.rc files.
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
38
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
39

40 41 42 43
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };

44 45 46 47 48 49
# Create /data/security from init.rc post-fs-data.
allow init security_file:dir { create setattr };

# setprop selinux.reload_policy 1 from init.rc post-fs-data.
allow init security_prop:property_service set;

50
# Reload policy upon setprop selinux.reload_policy 1.
51
r_dir_file(init, security_file)
52
allow init kernel:security load_policy;
53 54 55

# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
56
allow init kernel:system syslog_mod;
57 58

# Set usermodehelpers and /proc security settings.
59 60
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
61 62

# Transitions to seclabel processes in init.rc
63 64 65 66 67 68 69 70 71 72 73
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, healthd)
recovery_only(`
  domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, rootfs, ueventd)
domain_trans(init, rootfs, watchdogd)

# Certain domains need LD_PRELOAD passed from init.
# https://android-review.googlesource.com/94851
74
# For now, allow it to most domains.
75
# TODO: scope this down.
76
allow init { domain -lmkd }:process noatsecure;
77 78 79

# Support "adb shell stop"
allow init domain:process sigkill;
Nick Kralevich's avatar
Nick Kralevich committed
80 81 82 83 84

# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
85

86 87 88 89
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };

90 91 92 93 94
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
Stephen Smalley's avatar
Stephen Smalley committed
95 96 97 98

# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
99

100 101 102
# Set any property.
allow init property_type:property_service set;

103 104 105
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };

106 107 108 109
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;

110 111 112 113 114 115 116 117 118
###
### neverallow rules
###

# The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition.
neverallow { domain -kernel} init:process dyntransition;
neverallow domain init:process transition;
neverallow init { file_type fs_type }:file entrypoint;