You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
660 lines
20 KiB
660 lines
20 KiB
# init is its own domain.
|
|
type init, domain, mlstrustedsubject;
|
|
type init_exec, system_file_type, exec_type, file_type;
|
|
type init_tmpfs, file_type;
|
|
|
|
# /dev/__null__ node created by init.
|
|
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
|
|
|
|
#
|
|
# init direct restorecon calls.
|
|
#
|
|
# /dev/kmsg
|
|
allow init tmpfs:chr_file relabelfrom;
|
|
allow init kmsg_device:chr_file { getattr write relabelto };
|
|
# /dev/kmsg_debug
|
|
userdebug_or_eng(`
|
|
allow init kmsg_debug_device:chr_file { open write relabelto };
|
|
')
|
|
|
|
# allow init to mount and unmount debugfs in debug builds
|
|
userdebug_or_eng(`
|
|
allow init debugfs:dir mounton;
|
|
')
|
|
|
|
# /dev/__properties__
|
|
allow init properties_device:dir relabelto;
|
|
allow init properties_serial:file { write relabelto };
|
|
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
|
|
# /dev/__properties__/property_info
|
|
allow init properties_device:file create_file_perms;
|
|
allow init property_info:file relabelto;
|
|
# /dev/event-log-tags
|
|
allow init device:file relabelfrom;
|
|
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
|
# /dev/socket
|
|
allow init { device socket_device dm_user_device }:dir relabelto;
|
|
# allow init to establish connection and communicate with lmkd
|
|
unix_socket_connect(init, lmkd, lmkd)
|
|
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
|
|
allow init { null_device ptmx_device random_device } : chr_file relabelto;
|
|
# /dev/device-mapper, /dev/block(/.*)?
|
|
allow init tmpfs:{ chr_file blk_file } relabelfrom;
|
|
allow init tmpfs:blk_file getattr;
|
|
allow init block_device:{ dir blk_file lnk_file } relabelto;
|
|
allow init dm_device:{ chr_file blk_file } relabelto;
|
|
allow init dm_user_device:chr_file relabelto;
|
|
allow init kernel:fd use;
|
|
# restorecon for early mount device symlinks
|
|
allow init tmpfs:lnk_file { getattr read relabelfrom };
|
|
allow init {
|
|
metadata_block_device
|
|
misc_block_device
|
|
recovery_block_device
|
|
system_block_device
|
|
userdata_block_device
|
|
}:{ blk_file lnk_file } relabelto;
|
|
|
|
allow init super_block_device:lnk_file relabelto;
|
|
|
|
# Create /mnt/sdcard -> /storage/self/primary symlink.
|
|
allow init mnt_sdcard_file:lnk_file create;
|
|
|
|
# setrlimit
|
|
allow init self:global_capability_class_set sys_resource;
|
|
|
|
# Remove /dev/.booting and load /debug_ramdisk/* files
|
|
allow init tmpfs:file { getattr unlink };
|
|
|
|
# Access pty created for fsck.
|
|
allow init devpts:chr_file { read write open };
|
|
|
|
# Create /dev/fscklogs files.
|
|
allow init fscklogs:file create_file_perms;
|
|
|
|
# Access /dev/__null__ node created prior to initial policy load.
|
|
allow init tmpfs:chr_file write;
|
|
|
|
# Access /dev/console.
|
|
allow init console_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/tty0.
|
|
allow init tty_device:chr_file rw_file_perms;
|
|
|
|
# Call mount(2).
|
|
allow init self:global_capability_class_set sys_admin;
|
|
|
|
# Call setns(2).
|
|
allow init self:global_capability_class_set sys_chroot;
|
|
|
|
# Create and mount on directories in /.
|
|
allow init rootfs:dir create_dir_perms;
|
|
allow init {
|
|
rootfs
|
|
cache_file
|
|
cgroup
|
|
linkerconfig_file
|
|
storage_file
|
|
mnt_user_file
|
|
system_data_file
|
|
system_data_root_file
|
|
system_file
|
|
vendor_file
|
|
postinstall_mnt_dir
|
|
mirror_data_file
|
|
}:dir mounton;
|
|
|
|
# Mount bpf fs on sys/fs/bpf
|
|
allow init fs_bpf:dir mounton;
|
|
|
|
# Mount on /dev/usb-ffs/adb.
|
|
allow init device:dir mounton;
|
|
|
|
# Mount tmpfs on /apex
|
|
allow init apex_mnt_dir:dir mounton;
|
|
|
|
# Bind-mount on /system/apex/com.android.art
|
|
allow init art_apex_dir:dir mounton;
|
|
|
|
# Create and remove symlinks in /.
|
|
allow init rootfs:lnk_file { create unlink };
|
|
|
|
# Mount debugfs on /sys/kernel/debug.
|
|
allow init sysfs:dir mounton;
|
|
|
|
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
|
allow init tmpfs:dir create_dir_perms;
|
|
allow init tmpfs:dir mounton;
|
|
allow init cgroup:dir create_dir_perms;
|
|
allow init cgroup:file rw_file_perms;
|
|
allow init cgroup_rc_file:file rw_file_perms;
|
|
allow init cgroup_desc_file:file r_file_perms;
|
|
allow init cgroup_desc_api_file:file r_file_perms;
|
|
allow init vendor_cgroup_desc_file:file r_file_perms;
|
|
allow init cgroup_v2:dir { mounton create_dir_perms};
|
|
allow init cgroup_v2:file rw_file_perms;
|
|
|
|
# /config
|
|
allow init configfs:dir mounton;
|
|
allow init configfs:dir create_dir_perms;
|
|
allow init configfs:{ file lnk_file } create_file_perms;
|
|
|
|
# /metadata
|
|
allow init metadata_file:dir mounton;
|
|
|
|
# Use tmpfs as /data, used for booting when /data is encrypted
|
|
allow init tmpfs:dir relabelfrom;
|
|
|
|
# Create directories under /dev/cpuctl after chowning it to system.
|
|
allow init self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
# Set system clock.
|
|
allow init self:global_capability_class_set sys_time;
|
|
|
|
allow init self:global_capability_class_set { sys_rawio mknod };
|
|
|
|
# Mounting filesystems from block devices.
|
|
allow init dev_type:blk_file r_file_perms;
|
|
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
|
|
|
# Mounting filesystems.
|
|
# Only allow relabelto for types used in context= mount options,
|
|
# which should all be assigned the contextmount_type attribute.
|
|
# This can be done in device-specific policy via type or typeattribute
|
|
# declarations.
|
|
allow init {
|
|
fs_type
|
|
enforce_debugfs_restriction(`-debugfs_type')
|
|
}:filesystem ~relabelto;
|
|
|
|
# Allow init to mount/unmount debugfs in non-user builds.
|
|
enforce_debugfs_restriction(`
|
|
userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
|
|
')
|
|
|
|
# Allow init to mount tracefs in /sys/kernel/tracing
|
|
allow init debugfs_tracing_debug:filesystem mount;
|
|
|
|
allow init unlabeled:filesystem ~relabelto;
|
|
allow init contextmount_type:filesystem relabelto;
|
|
|
|
# Allow read-only access to context= mounted filesystems.
|
|
allow init contextmount_type:dir r_dir_perms;
|
|
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
|
|
|
# restorecon /adb_keys or any other rootfs files and directories to a more
|
|
# specific type.
|
|
allow init rootfs:{ dir file } relabelfrom;
|
|
|
|
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
|
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
# init.<board>.rc files often include device-specific types, so
|
|
# we just allow all file types except /system files here.
|
|
allow init self:global_capability_class_set { chown fowner fsetid };
|
|
|
|
allow init {
|
|
file_type
|
|
-app_data_file
|
|
-exec_type
|
|
-misc_logd_file
|
|
-nativetest_data_file
|
|
-privapp_data_file
|
|
-system_app_data_file
|
|
-system_file_type
|
|
-vendor_file_type
|
|
}:dir { create search getattr open read setattr ioctl };
|
|
|
|
allow init {
|
|
file_type
|
|
-app_data_file
|
|
-exec_type
|
|
-iorapd_data_file
|
|
-credstore_data_file
|
|
-keystore_data_file
|
|
-misc_logd_file
|
|
-nativetest_data_file
|
|
-privapp_data_file
|
|
-shell_data_file
|
|
-system_app_data_file
|
|
-system_file_type
|
|
-vendor_file_type
|
|
-vold_data_file
|
|
}:dir { write add_name remove_name rmdir relabelfrom };
|
|
|
|
allow init {
|
|
file_type
|
|
-apex_info_file
|
|
-app_data_file
|
|
-exec_type
|
|
-gsi_data_file
|
|
-iorapd_data_file
|
|
-credstore_data_file
|
|
-keystore_data_file
|
|
-misc_logd_file
|
|
-nativetest_data_file
|
|
-privapp_data_file
|
|
-runtime_event_log_tags_file
|
|
-shell_data_file
|
|
-system_app_data_file
|
|
-system_file_type
|
|
-vendor_file_type
|
|
-vold_data_file
|
|
enforce_debugfs_restriction(`-debugfs_type')
|
|
}:file { create getattr open read write setattr relabelfrom unlink map };
|
|
|
|
allow init tracefs_type:file { create_file_perms relabelfrom };
|
|
|
|
allow init {
|
|
file_type
|
|
-app_data_file
|
|
-exec_type
|
|
-gsi_data_file
|
|
-iorapd_data_file
|
|
-credstore_data_file
|
|
-keystore_data_file
|
|
-misc_logd_file
|
|
-nativetest_data_file
|
|
-privapp_data_file
|
|
-shell_data_file
|
|
-system_app_data_file
|
|
-system_file_type
|
|
-vendor_file_type
|
|
-vold_data_file
|
|
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
|
|
|
allow init {
|
|
file_type
|
|
-apex_mnt_dir
|
|
-app_data_file
|
|
-exec_type
|
|
-gsi_data_file
|
|
-iorapd_data_file
|
|
-credstore_data_file
|
|
-keystore_data_file
|
|
-misc_logd_file
|
|
-nativetest_data_file
|
|
-privapp_data_file
|
|
-shell_data_file
|
|
-system_app_data_file
|
|
-system_file_type
|
|
-vendor_file_type
|
|
-vold_data_file
|
|
}:lnk_file { create getattr setattr relabelfrom unlink };
|
|
|
|
allow init cache_file:lnk_file r_file_perms;
|
|
|
|
allow init {
|
|
file_type
|
|
-system_file_type
|
|
-vendor_file_type
|
|
-exec_type
|
|
-app_data_file
|
|
-privapp_data_file
|
|
}:dir_file_class_set relabelto;
|
|
|
|
allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
|
allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
|
|
allow init dev_type:dir create_dir_perms;
|
|
allow init dev_type:lnk_file create;
|
|
|
|
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
|
|
allow init debugfs_tracing:file w_file_perms;
|
|
|
|
# Setup and control wifi event tracing (see wifi-events.rc)
|
|
allow init debugfs_tracing_instances:dir create_dir_perms;
|
|
allow init debugfs_tracing_instances:file w_file_perms;
|
|
allow init debugfs_wifi_tracing:file w_file_perms;
|
|
|
|
# chown/chmod on pseudo files.
|
|
allow init {
|
|
fs_type
|
|
-contextmount_type
|
|
-keychord_device
|
|
-proc_type
|
|
-sdcard_type
|
|
-sysfs_type
|
|
-rootfs
|
|
enforce_debugfs_restriction(`-debugfs_type')
|
|
}:file { open read setattr };
|
|
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
|
|
|
allow init {
|
|
binder_device
|
|
console_device
|
|
devpts
|
|
dm_device
|
|
hwbinder_device
|
|
input_device
|
|
kmsg_device
|
|
null_device
|
|
owntty_device
|
|
pmsg_device
|
|
ptmx_device
|
|
random_device
|
|
tty_device
|
|
zero_device
|
|
}:chr_file { read open };
|
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
# or a read that consumes the messages that were read.
|
|
allow init kernel:system syslog_mod;
|
|
allow init self:global_capability2_class_set syslog;
|
|
|
|
# init access to /proc.
|
|
r_dir_file(init, proc_net_type)
|
|
allow init proc_filesystems:file r_file_perms;
|
|
|
|
userdebug_or_eng(`
|
|
# Overlayfs workdir write access check during mount to permit remount,rw
|
|
allow init overlayfs_file:dir { relabelfrom mounton write };
|
|
allow init overlayfs_file:file { append };
|
|
allow init system_block_device:blk_file { write };
|
|
')
|
|
|
|
allow init {
|
|
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
|
proc_bootconfig
|
|
proc_cmdline
|
|
proc_diskstats
|
|
proc_kmsg # Open /proc/kmsg for logd service.
|
|
proc_meminfo
|
|
proc_stat # Read /proc/stat for bootchart.
|
|
proc_uptime
|
|
proc_version
|
|
}:file r_file_perms;
|
|
|
|
allow init {
|
|
proc_abi
|
|
proc_dirty
|
|
proc_hostname
|
|
proc_hung_task
|
|
proc_extra_free_kbytes
|
|
proc_net_type
|
|
proc_max_map_count
|
|
proc_min_free_order_shift
|
|
proc_overcommit_memory # /proc/sys/vm/overcommit_memory
|
|
proc_panic
|
|
proc_page_cluster
|
|
proc_perf
|
|
proc_sched
|
|
proc_sysrq
|
|
}:file w_file_perms;
|
|
|
|
allow init {
|
|
proc_security
|
|
}:file rw_file_perms;
|
|
|
|
# init chmod/chown access to /proc files.
|
|
allow init {
|
|
proc_cmdline
|
|
proc_bootconfig
|
|
proc_kmsg
|
|
proc_net
|
|
proc_pagetypeinfo
|
|
proc_qtaguid_stat
|
|
proc_slabinfo
|
|
proc_sysrq
|
|
proc_qtaguid_ctrl
|
|
proc_vmallocinfo
|
|
}:file setattr;
|
|
|
|
# init access to /sys files.
|
|
allow init {
|
|
sysfs_android_usb
|
|
sysfs_dm_verity
|
|
sysfs_leds
|
|
sysfs_power
|
|
sysfs_fs_f2fs
|
|
sysfs_dm
|
|
}:file w_file_perms;
|
|
|
|
allow init {
|
|
sysfs_dt_firmware_android
|
|
sysfs_fs_ext4_features
|
|
}:file r_file_perms;
|
|
|
|
allow init {
|
|
sysfs_zram
|
|
}:file rw_file_perms;
|
|
|
|
# allow init to create loop devices with /dev/loop-control
|
|
allow init loop_control_device:chr_file rw_file_perms;
|
|
allow init loop_device:blk_file rw_file_perms;
|
|
allowxperm init loop_device:blk_file ioctl {
|
|
LOOP_SET_FD
|
|
LOOP_CLR_FD
|
|
LOOP_CTL_GET_FREE
|
|
LOOP_SET_BLOCK_SIZE
|
|
LOOP_SET_DIRECT_IO
|
|
LOOP_GET_STATUS
|
|
};
|
|
|
|
# Allow init to write to vibrator/trigger
|
|
allow init sysfs_vibrator:file w_file_perms;
|
|
|
|
# init chmod/chown access to /sys files.
|
|
allow init {
|
|
sysfs_android_usb
|
|
sysfs_devices_system_cpu
|
|
sysfs_ipv4
|
|
sysfs_leds
|
|
sysfs_lowmemorykiller
|
|
sysfs_power
|
|
sysfs_vibrator
|
|
sysfs_wake_lock
|
|
sysfs_zram
|
|
}:file setattr;
|
|
|
|
# Set usermodehelpers.
|
|
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
|
|
|
|
allow init self:global_capability_class_set net_admin;
|
|
|
|
# Reboot.
|
|
allow init self:global_capability_class_set sys_boot;
|
|
|
|
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
|
|
# Init will also walk through the directory as part of a recursive restorecon.
|
|
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
|
|
allow init misc_logd_file:file { open create getattr setattr write };
|
|
|
|
# Support "adb shell stop"
|
|
allow init self:global_capability_class_set kill;
|
|
allow init domain:process { getpgid sigkill signal };
|
|
|
|
# Init creates credstore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init credstore_data_file:dir { open create read getattr setattr search };
|
|
allow init credstore_data_file:file { getattr };
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|
|
|
|
# Init creates vold's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init vold_data_file:dir { open create read getattr setattr search };
|
|
allow init vold_data_file:file { getattr };
|
|
|
|
# Init creates /data/local/tmp at boot
|
|
allow init shell_data_file:dir { open create read getattr setattr search };
|
|
allow init shell_data_file:file { getattr };
|
|
|
|
# Set UID, GID, and adjust capability bounding set for services.
|
|
allow init self:global_capability_class_set { setuid setgid setpcap };
|
|
|
|
# For bootchart to read the /proc/$pid/cmdline file of each process,
|
|
# we need to have following line to allow init to have access
|
|
# to different domains.
|
|
r_dir_file(init, domain)
|
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
# setexec is for services with seclabel options.
|
|
# setfscreate is for labeling directories and socket files.
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
|
|
|
# Get file context
|
|
allow init file_contexts_file:file r_file_perms;
|
|
|
|
# sepolicy access
|
|
allow init sepolicy_file:file r_file_perms;
|
|
|
|
# Perform SELinux access checks on setting properties.
|
|
selinux_check_access(init)
|
|
|
|
# Ask the kernel for the new context on services to label their sockets.
|
|
allow init kernel:security compute_create;
|
|
|
|
# Create sockets for the services.
|
|
allow init domain:unix_stream_socket { create bind setopt };
|
|
allow init domain:unix_dgram_socket { create bind setopt };
|
|
|
|
# Create /data/property and files within it.
|
|
allow init property_data_file:dir create_dir_perms;
|
|
allow init property_data_file:file create_file_perms;
|
|
|
|
# Set any property.
|
|
allow init property_type:property_service set;
|
|
|
|
# Send an SELinux userspace denial to the kernel audit subsystem,
|
|
# so it can be picked up and processed by logd. These denials are
|
|
# generated when an attempt to set a property is denied by policy.
|
|
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
|
|
allow init self:global_capability_class_set audit_write;
|
|
|
|
# Run "ifup lo" to bring up the localhost interface
|
|
allow init self:udp_socket { create ioctl };
|
|
# in addition to unpriv ioctls granted to all domains, init also needs:
|
|
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
|
|
allow init self:global_capability_class_set net_raw;
|
|
|
|
# Set scheduling info for psi monitor thread.
|
|
# TODO: delete or revise this line b/131761776
|
|
allow init kernel:process { getsched setsched };
|
|
|
|
# swapon() needs write access to swap device
|
|
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
|
|
allow init swap_block_device:blk_file rw_file_perms;
|
|
|
|
# Create and access /dev files without a specific type,
|
|
# e.g. /dev/.coldboot_done, /dev/.booting
|
|
# TODO: Move these files into their own type unless they are
|
|
# only ever accessed by init.
|
|
allow init device:file create_file_perms;
|
|
|
|
# keychord retrieval from /dev/input/ devices
|
|
allow init input_device:dir r_dir_perms;
|
|
allow init input_device:chr_file rw_file_perms;
|
|
|
|
# Access device mapper for setting up dm-verity
|
|
allow init dm_device:chr_file rw_file_perms;
|
|
allow init dm_device:blk_file rw_file_perms;
|
|
|
|
# Access dm-user for OTA boot
|
|
allow init dm_user_device:chr_file rw_file_perms;
|
|
|
|
# Access metadata block device for storing dm-verity state
|
|
allow init metadata_block_device:blk_file rw_file_perms;
|
|
|
|
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
|
|
# by dm-verity detecting corrupted blocks
|
|
allow init pstorefs:dir search;
|
|
allow init pstorefs:file r_file_perms;
|
|
allow init kernel:system syslog_read;
|
|
|
|
# linux keyring configuration
|
|
allow init init:key { write search setattr };
|
|
|
|
# Allow init to create /data/unencrypted
|
|
allow init unencrypted_data_file:dir create_dir_perms;
|
|
|
|
# Set encryption policy on dirs in /data
|
|
allowxperm init { data_file_type unlabeled }:dir ioctl {
|
|
FS_IOC_GET_ENCRYPTION_POLICY
|
|
FS_IOC_SET_ENCRYPTION_POLICY
|
|
};
|
|
|
|
# Raw writes to misc block device
|
|
allow init misc_block_device:blk_file w_file_perms;
|
|
|
|
r_dir_file(init, system_file)
|
|
r_dir_file(init, vendor_file_type)
|
|
|
|
allow init system_data_file:file { getattr read };
|
|
allow init system_data_file:lnk_file r_file_perms;
|
|
|
|
# For init to be able to run shell scripts from vendor
|
|
allow init vendor_shell_exec:file execute;
|
|
|
|
# Metadata setup
|
|
allow init vold_metadata_file:dir create_dir_perms;
|
|
allow init vold_metadata_file:file getattr;
|
|
allow init metadata_bootstat_file:dir create_dir_perms;
|
|
allow init metadata_bootstat_file:file w_file_perms;
|
|
allow init userspace_reboot_metadata_file:file w_file_perms;
|
|
|
|
# Allow init to touch PSI monitors
|
|
allow init proc_pressure_mem:file { rw_file_perms setattr };
|
|
|
|
# init is using bootstrap bionic
|
|
allow init system_bootstrap_lib_file:dir r_dir_perms;
|
|
allow init system_bootstrap_lib_file:file { execute read open getattr map };
|
|
|
|
# stat the root dir of fuse filesystems (for the mount handler)
|
|
allow init fuse:dir { search getattr };
|
|
|
|
# allow filesystem tuning
|
|
allow init userdata_sysdev:file create_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The init domain is only entered via an exec based transition from the
|
|
# kernel domain, never via setcon().
|
|
neverallow domain init:process dyntransition;
|
|
neverallow { domain -kernel } init:process transition;
|
|
neverallow init { file_type fs_type -init_exec }:file entrypoint;
|
|
|
|
# Never read/follow symlinks created by shell or untrusted apps.
|
|
neverallow init shell_data_file:lnk_file read;
|
|
neverallow init { app_data_file privapp_data_file }:lnk_file read;
|
|
|
|
# init should never execute a program without changing to another domain.
|
|
neverallow init { file_type fs_type }:file execute_no_trans;
|
|
|
|
# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
|
|
# when init is executing other binaries. The use of LD_PRELOAD for init spawned
|
|
# services is generally considered a no-no, as it injects libraries which the
|
|
# binary was not expecting. This is especially problematic for APEXes. The use
|
|
# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
|
|
# code into a process which wasn't expecting that code, with potentially
|
|
# unexpected side effects. (b/140789528)
|
|
neverallow init *:process noatsecure;
|
|
|
|
# init can never add binder services
|
|
neverallow init service_manager_type:service_manager { add find };
|
|
# init can never list binder services
|
|
neverallow init servicemanager:service_manager list;
|
|
|
|
# Init should not be creating subdirectories in /data/local/tmp
|
|
neverallow init shell_data_file:dir { write add_name remove_name };
|
|
|
|
# Init should not access sysfs node that are not explicitly labeled.
|
|
neverallow init sysfs:file { open read write };
|
|
|
|
# No domain should be allowed to ptrace init.
|
|
neverallow * init:process ptrace;
|
|
|
|
# init owns the root of /data
|
|
# TODO(b/140259336) We want to remove vendor_init
|
|
# TODO(b/141108496) We want to remove toolbox
|
|
neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
|