diff options
Diffstat (limited to 'init.te')
-rw-r--r-- | init.te | 298 |
1 files changed, 0 insertions, 298 deletions
diff --git a/init.te b/init.te deleted file mode 100644 index e1a8217..0000000 --- a/init.te +++ /dev/null @@ -1,298 +0,0 @@ -# init is its own domain. -type init, domain, domain_deprecated, mlstrustedsubject; -tmpfs_domain(init) - -# The init domain is entered by execing init. -type init_exec, exec_type, file_type; - -# /dev/__null__ node created by init. -allow init tmpfs:chr_file create_file_perms; - -# -# init direct restorecon calls. -# -# /dev/socket -allow init { device socket_device }:dir relabelto; -# /dev/__properties__ -allow init properties_device:dir relabelto; -allow init properties_serial:file { write relabelto }; -allow init property_type:file { create_file_perms relabelto }; - -# setrlimit -allow init self:capability sys_resource; - -# Remove /dev/.booting, created before initial policy load or restorecon /dev. -allow init tmpfs:file unlink; - -# Access pty created for fsck. -allow init devpts:chr_file { read write open }; - -# Create /dev/fscklogs files. -allow init fscklogs:file create_file_perms; - -# Access /dev/__null__ node created prior to initial policy load. -allow init tmpfs:chr_file write; - -# Access /dev/console. -allow init console_device:chr_file rw_file_perms; - -# Access /dev/tty0. -allow init tty_device:chr_file rw_file_perms; - -# Call mount(2). -allow init self:capability sys_admin; - -# Create and mount on directories in /. -allow init rootfs:dir create_dir_perms; -allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton; - -# Mount on /dev/usb-ffs/adb. -allow init device:dir mounton; - -# Create and remove symlinks in /. -allow init rootfs:lnk_file { create unlink }; - -# Mount debugfs on /sys/kernel/debug. -allow init sysfs:dir mounton; - -# Create cgroups mount points in tmpfs and mount cgroups on them. -allow init tmpfs:dir create_dir_perms; -allow init tmpfs:dir mounton; -allow init cgroup:dir create_dir_perms; -allow init cpuctl_device:dir { create mounton }; - -# Use tmpfs as /data, used for booting when /data is encrypted -allow init tmpfs:dir relabelfrom; - -# Create directories under /dev/cpuctl after chowning it to system. -allow init self:capability dac_override; - -# Set system clock. -allow init self:capability sys_time; - -allow init self:capability { sys_rawio mknod }; - -# Mounting filesystems from block devices. -allow init dev_type:blk_file r_file_perms; - -# Mounting filesystems. -# Only allow relabelto for types used in context= mount options, -# which should all be assigned the contextmount_type attribute. -# This can be done in device-specific policy via type or typeattribute -# declarations. -allow init fs_type:filesystem ~relabelto; -allow init unlabeled:filesystem ~relabelto; -allow init contextmount_type:filesystem relabelto; - -# Allow read-only access to context= mounted filesystems. -allow init contextmount_type:dir r_dir_perms; -allow init contextmount_type:notdevfile_class_set r_file_perms; - -# restorecon /adb_keys or any other rootfs files and directories to a more -# specific type. -allow init rootfs:{ dir file } relabelfrom; - -# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. -# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). -# system/core/init.rc requires at least cache_file and data_file_type. -# init.<board>.rc files often include device-specific types, so -# we just allow all file types except /system files here. -allow init self:capability { chown fowner fsetid }; -allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; -allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom }; -allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto; -allow init dev_type:dir create_dir_perms; -allow init dev_type:lnk_file create; - -# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on -allow init debugfs_tracing:file w_file_perms; - -# chown/chmod on pseudo files. -allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; -allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; - -# chown/chmod on devices. -allow init { dev_type -kmem_device }:chr_file { read open setattr }; - -# Unlabeled file access for upgrades from 4.2. -allow init unlabeled:dir { create_dir_perms relabelfrom }; -allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; - -# Any operation that can modify the kernel ring buffer, e.g. clear -# or a read that consumes the messages that were read. -allow init kernel:system syslog_mod; -allow init self:capability2 syslog; - -# Set usermodehelpers and /proc security settings. -allow init usermodehelper:file rw_file_perms; -allow init proc_security:file rw_file_perms; - -# Write to /proc/sys/kernel/panic_on_oops. -allow init proc:file w_file_perms; - -# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. -allow init proc_net:file w_file_perms; -allow init self:capability net_admin; - -# Write to /proc/sysrq-trigger. -allow init proc_sysrq:file w_file_perms; - -# Reboot. -allow init self:capability sys_boot; - -# Write to sysfs nodes. -allow init sysfs_type:dir r_dir_perms; -allow init sysfs_type:file w_file_perms; - -# disksize -allow init sysfs_zram:file getattr; - -# Transitions to seclabel processes in init.rc -domain_trans(init, rootfs, adbd) -domain_trans(init, rootfs, healthd) -domain_trans(init, rootfs, slideshow) -recovery_only(` - domain_trans(init, rootfs, recovery) -') -domain_trans(init, shell_exec, shell) -domain_trans(init, init_exec, ueventd) -domain_trans(init, init_exec, watchdogd) -# case where logpersistd is actually logcat -f in logd context (nee: logcatd) -userdebug_or_eng(` - domain_auto_trans(init, logcat_exec, logd) -') - -# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". -# Init will also walk through the directory as part of a recursive restorecon. -allow init misc_logd_file:dir { open create read getattr setattr search }; -allow init misc_logd_file:file { getattr }; - -# Support "adb shell stop" -allow init self:capability kill; -allow init domain:process { sigkill signal }; - -# Init creates keystore's directory on boot, and walks through -# the directory as part of a recursive restorecon. -allow init keystore_data_file:dir { open create read getattr setattr search }; -allow init keystore_data_file:file { getattr }; - -# Init creates vold's directory on boot, and walks through -# the directory as part of a recursive restorecon. -allow init vold_data_file:dir { open create read getattr setattr search }; -allow init vold_data_file:file { getattr }; - -# Init creates /data/local/tmp at boot -allow init shell_data_file:dir { open create read getattr setattr search }; -allow init shell_data_file:file { getattr }; - -# Set UID and GID for services. -allow init self:capability { setuid setgid }; - -# For bootchart to read the /proc/$pid/cmdline file of each process, -# we need to have following line to allow init to have access -# to different domains. -r_dir_file(init, domain) - -# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). -# setexec is for services with seclabel options. -# setfscreate is for labeling directories and socket files. -# setsockcreate is for labeling local/unix domain sockets. -allow init self:process { setexec setfscreate setsockcreate }; - -# Perform SELinux access checks on setting properties. -selinux_check_access(init) - -# Ask the kernel for the new context on services to label their sockets. -allow init kernel:security compute_create; - -# Create sockets for the services. -allow init domain:unix_stream_socket { create bind }; -allow init domain:unix_dgram_socket { create bind }; - -# Create /data/property and files within it. -allow init property_data_file:dir create_dir_perms; -allow init property_data_file:file create_file_perms; - -# Set any property. -allow init property_type:property_service set; - -# Run "ifup lo" to bring up the localhost interface -allow init self:udp_socket { create ioctl }; -allow init self:capability net_raw; - -# This line seems suspect, as it should not really need to -# set scheduling parameters for a kernel domain task. -allow init kernel:process setsched; - -# swapon() needs write access to swap device -# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all -allow init swap_block_device:blk_file rw_file_perms; - -# Read from /dev/hw_random if present. -# system/core/init/init.c - mix_hwrng_into_linux_rng_action -allow init hw_random_device:chr_file r_file_perms; - -# Create and access /dev files without a specific type, -# e.g. /dev/.coldboot_done, /dev/.booting -# TODO: Move these files into their own type unless they are -# only ever accessed by init. -allow init device:file create_file_perms; - -# Access character devices without a specific type, -# e.g. /dev/keychord. -# TODO: Move these devices into their own type unless they -# are only ever accessed by init. -allow init device:chr_file { rw_file_perms setattr }; - -# keychord configuration -allow init self:capability sys_tty_config; - -# Access device mapper for setting up dm-verity -allow init dm_device:chr_file rw_file_perms; -allow init dm_device:blk_file rw_file_perms; - -# Access metadata block device for storing dm-verity state -allow init metadata_block_device:blk_file rw_file_perms; - -# Read /sys/fs/pstore/console-ramoops to detect restarts caused -# by dm-verity detecting corrupted blocks -allow init pstorefs:dir search; -allow init pstorefs:file r_file_perms; -allow init kernel:system syslog_read; - -# linux keyring configuration -allow init init:key { write search setattr }; - -# Allow init to create /data/unencrypted -allow init unencrypted_data_file:dir create_dir_perms; - -unix_socket_connect(init, vold, vold) - -### -### neverallow rules -### - -# The init domain is only entered via setcon from the kernel domain, -# never via an exec-based transition. -neverallow domain init:process dyntransition; -neverallow { domain -kernel} init:process transition; -neverallow init { file_type fs_type -init_exec }:file entrypoint; - -# Never read/follow symlinks created by shell or untrusted apps. -neverallow init shell_data_file:lnk_file read; -neverallow init app_data_file:lnk_file read; - -# init should never execute a program without changing to another domain. -neverallow init { file_type fs_type }:file execute_no_trans; - -# Init never adds or uses services via service_manager. -neverallow init service_manager_type:service_manager { add find }; -neverallow init servicemanager:service_manager list; - -# Init should not be creating subdirectories in /data/local/tmp -neverallow init shell_data_file:dir { write add_name remove_name }; |