summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/init.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/init.te')
-rw-r--r--prebuilts/api/32.0/private/init.te117
1 files changed, 117 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/init.te b/prebuilts/api/32.0/private/init.te
new file mode 100644
index 000000000..200780dfb
--- /dev/null
+++ b/prebuilts/api/32.0/private/init.te
@@ -0,0 +1,117 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, charger_exec, charger)
+domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
+recovery_only(`
+ # Files in recovery image are labeled as rootfs.
+ domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, charger)
+ domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, recovery)
+ domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, snapuserd)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, vendor_init)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
+userdebug_or_eng(`
+ # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+ domain_auto_trans(init, logcat_exec, logpersist)
+
+ # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+ allow init su:process transition;
+ dontaudit init su:process noatsecure;
+ allow init su:process { siginh rlimitinh };
+')
+
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
+# Allow init to write to the drop_caches file.
+allow init proc_drop_caches:file rw_file_perms;
+
+# Allow the BoringSSL self test to request a reboot upon failure
+set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+set_prop(init, vts_status_prop)
+neverallow { domain -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { domain -init } bootloader_prop:property_service set;
+
+# Only init can write ro.boot.hypervisor properties
+neverallow { domain -init } hypervisor_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { domain -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { domain -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 08:35:46 +0000