1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { open write relabelto };
18')
19# /dev/__properties__
20allow init properties_device:dir relabelto;
21allow init properties_serial:file { write relabelto };
22allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
23# /dev/__properties__/property_info
24allow init properties_device:file create_file_perms;
25allow init property_info:file relabelto;
26# /dev/event-log-tags
27allow init device:file relabelfrom;
28allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
29# /dev/socket
30allow init { device socket_device }:dir relabelto;
31# allow init to establish connection and communicate with lmkd
32unix_socket_connect(init, lmkd, lmkd)
33# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
34allow init { null_device ptmx_device random_device } : chr_file relabelto;
35# /dev/device-mapper, /dev/block(/.*)?
36allow init tmpfs:{ chr_file blk_file } relabelfrom;
37allow init tmpfs:blk_file getattr;
38allow init block_device:{ dir blk_file lnk_file } relabelto;
39allow init dm_device:{ chr_file blk_file } relabelto;
40allow init kernel:fd use;
41# restorecon for early mount device symlinks
42allow init tmpfs:lnk_file { getattr read relabelfrom };
43allow init {
44  metadata_block_device
45  misc_block_device
46  recovery_block_device
47  system_block_device
48  userdata_block_device
49}:{ blk_file lnk_file } relabelto;
50
51allow init super_block_device:lnk_file relabelto;
52
53# Create /mnt/sdcard -> /storage/self/primary symlink.
54allow init mnt_sdcard_file:lnk_file create;
55
56# setrlimit
57allow init self:global_capability_class_set sys_resource;
58
59# Remove /dev/.booting and load /debug_ramdisk/* files
60allow init tmpfs:file { getattr unlink };
61
62# Access pty created for fsck.
63allow init devpts:chr_file { read write open };
64
65# Create /dev/fscklogs files.
66allow init fscklogs:file create_file_perms;
67
68# Access /dev/__null__ node created prior to initial policy load.
69allow init tmpfs:chr_file write;
70
71# Access /dev/console.
72allow init console_device:chr_file rw_file_perms;
73
74# Access /dev/tty0.
75allow init tty_device:chr_file rw_file_perms;
76
77# Call mount(2).
78allow init self:global_capability_class_set sys_admin;
79
80# Call setns(2).
81allow init self:global_capability_class_set sys_chroot;
82
83# Create and mount on directories in /.
84allow init rootfs:dir create_dir_perms;
85allow init {
86    rootfs
87    cache_file
88    cgroup
89    linkerconfig_file
90    storage_file
91    mnt_user_file
92    system_data_file
93    system_data_root_file
94    system_file
95    vendor_file
96    postinstall_mnt_dir
97    mirror_data_file
98}:dir mounton;
99allow init cgroup_bpf:dir { create mounton };
100
101# Mount bpf fs on sys/fs/bpf
102allow init fs_bpf:dir mounton;
103
104# Mount on /dev/usb-ffs/adb.
105allow init device:dir mounton;
106
107# Mount tmpfs on /apex
108allow init apex_mnt_dir:dir mounton;
109
110# Bind-mount on /system/apex/com.android.art
111allow init art_apex_dir:dir mounton;
112
113# Create and remove symlinks in /.
114allow init rootfs:lnk_file { create unlink };
115
116# Mount debugfs on /sys/kernel/debug.
117allow init sysfs:dir mounton;
118
119# Create cgroups mount points in tmpfs and mount cgroups on them.
120allow init tmpfs:dir create_dir_perms;
121allow init tmpfs:dir mounton;
122allow init cgroup:dir create_dir_perms;
123allow init cgroup:file rw_file_perms;
124allow init cgroup_rc_file:file rw_file_perms;
125allow init cgroup_desc_file:file r_file_perms;
126allow init vendor_cgroup_desc_file:file r_file_perms;
127
128# /config
129allow init configfs:dir mounton;
130allow init configfs:dir create_dir_perms;
131allow init configfs:{ file lnk_file } create_file_perms;
132
133# /metadata
134allow init metadata_file:dir mounton;
135
136# Use tmpfs as /data, used for booting when /data is encrypted
137allow init tmpfs:dir relabelfrom;
138
139# Create directories under /dev/cpuctl after chowning it to system.
140allow init self:global_capability_class_set { dac_override dac_read_search };
141
142# Set system clock.
143allow init self:global_capability_class_set sys_time;
144
145allow init self:global_capability_class_set { sys_rawio mknod };
146
147# Mounting filesystems from block devices.
148allow init dev_type:blk_file r_file_perms;
149allowxperm init dev_type:blk_file ioctl BLKROSET;
150
151# Mounting filesystems.
152# Only allow relabelto for types used in context= mount options,
153# which should all be assigned the contextmount_type attribute.
154# This can be done in device-specific policy via type or typeattribute
155# declarations.
156allow init fs_type:filesystem ~relabelto;
157allow init unlabeled:filesystem ~relabelto;
158allow init contextmount_type:filesystem relabelto;
159
160# Allow read-only access to context= mounted filesystems.
161allow init contextmount_type:dir r_dir_perms;
162allow init contextmount_type:notdevfile_class_set r_file_perms;
163
164# restorecon /adb_keys or any other rootfs files and directories to a more
165# specific type.
166allow init rootfs:{ dir file } relabelfrom;
167
168# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
169# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
170# system/core/init.rc requires at least cache_file and data_file_type.
171# init.<board>.rc files often include device-specific types, so
172# we just allow all file types except /system files here.
173allow init self:global_capability_class_set { chown fowner fsetid };
174
175allow init {
176  file_type
177  -app_data_file
178  -exec_type
179  -misc_logd_file
180  -nativetest_data_file
181  -privapp_data_file
182  -system_app_data_file
183  -system_file_type
184  -vendor_file_type
185}:dir { create search getattr open read setattr ioctl };
186
187allow init {
188  file_type
189  -app_data_file
190  -exec_type
191  -iorapd_data_file
192  -credstore_data_file
193  -keystore_data_file
194  -misc_logd_file
195  -nativetest_data_file
196  -privapp_data_file
197  -shell_data_file
198  -system_app_data_file
199  -system_file_type
200  -vendor_file_type
201  -vold_data_file
202}:dir { write add_name remove_name rmdir relabelfrom };
203
204allow init {
205  file_type
206  -app_data_file
207  -exec_type
208  -gsi_data_file
209  -iorapd_data_file
210  -credstore_data_file
211  -keystore_data_file
212  -misc_logd_file
213  -nativetest_data_file
214  -privapp_data_file
215  -runtime_event_log_tags_file
216  -shell_data_file
217  -system_app_data_file
218  -system_file_type
219  -vendor_file_type
220  -vold_data_file
221}:file { create getattr open read write setattr relabelfrom unlink map };
222
223allow init {
224  file_type
225  -app_data_file
226  -exec_type
227  -gsi_data_file
228  -iorapd_data_file
229  -credstore_data_file
230  -keystore_data_file
231  -misc_logd_file
232  -nativetest_data_file
233  -privapp_data_file
234  -shell_data_file
235  -system_app_data_file
236  -system_file_type
237  -vendor_file_type
238  -vold_data_file
239}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
240
241allow init {
242  file_type
243  -apex_mnt_dir
244  -app_data_file
245  -exec_type
246  -gsi_data_file
247  -iorapd_data_file
248  -credstore_data_file
249  -keystore_data_file
250  -misc_logd_file
251  -nativetest_data_file
252  -privapp_data_file
253  -shell_data_file
254  -system_app_data_file
255  -system_file_type
256  -vendor_file_type
257  -vold_data_file
258}:lnk_file { create getattr setattr relabelfrom unlink };
259
260allow init cache_file:lnk_file r_file_perms;
261
262allow init {
263  file_type
264  -system_file_type
265  -vendor_file_type
266  -exec_type
267  -app_data_file
268  -privapp_data_file
269}:dir_file_class_set relabelto;
270
271allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
272allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
273allow init dev_type:dir create_dir_perms;
274allow init dev_type:lnk_file create;
275
276# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
277allow init debugfs_tracing:file w_file_perms;
278
279# Setup and control wifi event tracing (see wifi-events.rc)
280allow init debugfs_tracing_instances:dir create_dir_perms;
281allow init debugfs_tracing_instances:file w_file_perms;
282allow init debugfs_wifi_tracing:file w_file_perms;
283
284# chown/chmod on pseudo files.
285allow init {
286  fs_type
287  -contextmount_type
288  -keychord_device
289  -proc_type
290  -sdcard_type
291  -sysfs_type
292  -rootfs
293}:file { open read setattr };
294allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
295
296allow init {
297  binder_device
298  console_device
299  devpts
300  dm_device
301  hwbinder_device
302  hw_random_device
303  input_device
304  kmsg_device
305  null_device
306  owntty_device
307  pmsg_device
308  ptmx_device
309  random_device
310  tty_device
311  zero_device
312}:chr_file { read open };
313
314# chown/chmod on devices.
315allow init {
316  dev_type
317  -keychord_device
318  -port_device
319}:chr_file setattr;
320
321# Unlabeled file access for upgrades from 4.2.
322allow init unlabeled:dir { create_dir_perms relabelfrom };
323allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
324
325# Any operation that can modify the kernel ring buffer, e.g. clear
326# or a read that consumes the messages that were read.
327allow init kernel:system syslog_mod;
328allow init self:global_capability2_class_set syslog;
329
330# init access to /proc.
331r_dir_file(init, proc_net_type)
332allow init proc_filesystems:file r_file_perms;
333
334userdebug_or_eng(`
335  # Overlayfs workdir write access check during mount to permit remount,rw
336  allow init overlayfs_file:dir { relabelfrom mounton write };
337  allow init overlayfs_file:file { append };
338  allow init system_block_device:blk_file { write };
339')
340
341allow init {
342  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
343  proc_cmdline
344  proc_diskstats
345  proc_kmsg # Open /proc/kmsg for logd service.
346  proc_meminfo
347  proc_stat # Read /proc/stat for bootchart.
348  proc_uptime
349  proc_version
350}:file r_file_perms;
351
352allow init {
353  proc_abi
354  proc_dirty
355  proc_hostname
356  proc_hung_task
357  proc_extra_free_kbytes
358  proc_net_type
359  proc_max_map_count
360  proc_min_free_order_shift
361  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
362  proc_panic
363  proc_page_cluster
364  proc_perf
365  proc_sched
366  proc_sysrq
367}:file w_file_perms;
368
369allow init {
370  proc_security
371}:file rw_file_perms;
372
373# init chmod/chown access to /proc files.
374allow init {
375  proc_cmdline
376  proc_kmsg
377  proc_net
378  proc_qtaguid_stat
379  proc_slabinfo
380  proc_sysrq
381  proc_qtaguid_ctrl
382  proc_vmallocinfo
383}:file setattr;
384
385# init access to /sys files.
386allow init {
387  sysfs_android_usb
388  sysfs_dm_verity
389  sysfs_leds
390  sysfs_power
391  sysfs_fs_f2fs
392  sysfs_dm
393}:file w_file_perms;
394
395allow init {
396  sysfs_dt_firmware_android
397  sysfs_fs_ext4_features
398}:file r_file_perms;
399
400allow init {
401  sysfs_zram
402}:file rw_file_perms;
403
404# allow init to create loop devices with /dev/loop-control
405allow init loop_control_device:chr_file rw_file_perms;
406allow init loop_device:blk_file rw_file_perms;
407allowxperm init loop_device:blk_file ioctl {
408  LOOP_SET_FD
409  LOOP_CLR_FD
410  LOOP_CTL_GET_FREE
411  LOOP_SET_BLOCK_SIZE
412  LOOP_SET_DIRECT_IO
413};
414
415# Allow init to write to vibrator/trigger
416allow init sysfs_vibrator:file w_file_perms;
417
418# init chmod/chown access to /sys files.
419allow init {
420  sysfs_android_usb
421  sysfs_devices_system_cpu
422  sysfs_ipv4
423  sysfs_leds
424  sysfs_lowmemorykiller
425  sysfs_power
426  sysfs_vibrator
427  sysfs_wake_lock
428  sysfs_zram
429}:file setattr;
430
431# Set usermodehelpers.
432allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
433
434allow init self:global_capability_class_set net_admin;
435
436# Reboot.
437allow init self:global_capability_class_set sys_boot;
438
439# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
440# Init will also walk through the directory as part of a recursive restorecon.
441allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
442allow init misc_logd_file:file { open create getattr setattr write };
443
444# Support "adb shell stop"
445allow init self:global_capability_class_set kill;
446allow init domain:process { getpgid sigkill signal };
447
448# Init creates credstore's directory on boot, and walks through
449# the directory as part of a recursive restorecon.
450allow init credstore_data_file:dir { open create read getattr setattr search };
451allow init credstore_data_file:file { getattr };
452
453# Init creates keystore's directory on boot, and walks through
454# the directory as part of a recursive restorecon.
455allow init keystore_data_file:dir { open create read getattr setattr search };
456allow init keystore_data_file:file { getattr };
457
458# Init creates vold's directory on boot, and walks through
459# the directory as part of a recursive restorecon.
460allow init vold_data_file:dir { open create read getattr setattr search };
461allow init vold_data_file:file { getattr };
462
463# Init creates /data/local/tmp at boot
464allow init shell_data_file:dir { open create read getattr setattr search };
465allow init shell_data_file:file { getattr };
466
467# Set UID, GID, and adjust capability bounding set for services.
468allow init self:global_capability_class_set { setuid setgid setpcap };
469
470# For bootchart to read the /proc/$pid/cmdline file of each process,
471# we need to have following line to allow init to have access
472# to different domains.
473r_dir_file(init, domain)
474
475# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
476# setexec is for services with seclabel options.
477# setfscreate is for labeling directories and socket files.
478# setsockcreate is for labeling local/unix domain sockets.
479allow init self:process { setexec setfscreate setsockcreate };
480
481# Get file context
482allow init file_contexts_file:file r_file_perms;
483
484# sepolicy access
485allow init sepolicy_file:file r_file_perms;
486
487# Perform SELinux access checks on setting properties.
488selinux_check_access(init)
489
490# Ask the kernel for the new context on services to label their sockets.
491allow init kernel:security compute_create;
492
493# Create sockets for the services.
494allow init domain:unix_stream_socket { create bind setopt };
495allow init domain:unix_dgram_socket { create bind setopt };
496
497# Create /data/property and files within it.
498allow init property_data_file:dir create_dir_perms;
499allow init property_data_file:file create_file_perms;
500
501# Set any property.
502allow init property_type:property_service set;
503
504# Send an SELinux userspace denial to the kernel audit subsystem,
505# so it can be picked up and processed by logd. These denials are
506# generated when an attempt to set a property is denied by policy.
507allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
508allow init self:global_capability_class_set audit_write;
509
510# Run "ifup lo" to bring up the localhost interface
511allow init self:udp_socket { create ioctl };
512# in addition to unpriv ioctls granted to all domains, init also needs:
513allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
514allow init self:global_capability_class_set net_raw;
515
516# Set scheduling info for psi monitor thread.
517# TODO: delete or revise this line b/131761776
518allow init kernel:process { getsched setsched };
519
520# swapon() needs write access to swap device
521# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
522allow init swap_block_device:blk_file rw_file_perms;
523
524# Read from /dev/hw_random if present.
525# system/core/init/init.c - mix_hwrng_into_linux_rng_action
526allow init hw_random_device:chr_file r_file_perms;
527
528# Create and access /dev files without a specific type,
529# e.g. /dev/.coldboot_done, /dev/.booting
530# TODO:  Move these files into their own type unless they are
531# only ever accessed by init.
532allow init device:file create_file_perms;
533
534# keychord retrieval from /dev/input/ devices
535allow init input_device:dir r_dir_perms;
536allow init input_device:chr_file rw_file_perms;
537
538# Access device mapper for setting up dm-verity
539allow init dm_device:chr_file rw_file_perms;
540allow init dm_device:blk_file rw_file_perms;
541
542# Access metadata block device for storing dm-verity state
543allow init metadata_block_device:blk_file rw_file_perms;
544
545# Read /sys/fs/pstore/console-ramoops to detect restarts caused
546# by dm-verity detecting corrupted blocks
547allow init pstorefs:dir search;
548allow init pstorefs:file r_file_perms;
549allow init kernel:system syslog_read;
550
551# linux keyring configuration
552allow init init:key { write search setattr };
553
554# Allow init to create /data/unencrypted
555allow init unencrypted_data_file:dir create_dir_perms;
556
557# Set encryption policy on dirs in /data
558allowxperm init { data_file_type unlabeled }:dir ioctl {
559  FS_IOC_GET_ENCRYPTION_POLICY
560  FS_IOC_SET_ENCRYPTION_POLICY
561};
562
563# Raw writes to misc block device
564allow init misc_block_device:blk_file w_file_perms;
565
566r_dir_file(init, system_file)
567r_dir_file(init, vendor_file_type)
568
569allow init system_data_file:file { getattr read };
570allow init system_data_file:lnk_file r_file_perms;
571
572# For init to be able to run shell scripts from vendor
573allow init vendor_shell_exec:file execute;
574
575# Metadata setup
576allow init vold_metadata_file:dir create_dir_perms;
577allow init vold_metadata_file:file getattr;
578allow init metadata_bootstat_file:dir create_dir_perms;
579allow init metadata_bootstat_file:file w_file_perms;
580
581# Allow init to touch PSI monitors
582allow init proc_pressure_mem:file { rw_file_perms setattr };
583
584# init is using bootstrap bionic
585allow init system_bootstrap_lib_file:dir r_dir_perms;
586allow init system_bootstrap_lib_file:file { execute read open getattr map };
587
588# stat the root dir of fuse filesystems (for the mount handler)
589allow init fuse:dir { search getattr };
590
591###
592### neverallow rules
593###
594
595# The init domain is only entered via an exec based transition from the
596# kernel domain, never via setcon().
597neverallow domain init:process dyntransition;
598neverallow { domain -kernel } init:process transition;
599neverallow init { file_type fs_type -init_exec }:file entrypoint;
600
601# Never read/follow symlinks created by shell or untrusted apps.
602neverallow init shell_data_file:lnk_file read;
603neverallow init { app_data_file privapp_data_file }:lnk_file read;
604
605# init should never execute a program without changing to another domain.
606neverallow init { file_type fs_type }:file execute_no_trans;
607
608# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
609# when init is executing other binaries. The use of LD_PRELOAD for init spawned
610# services is generally considered a no-no, as it injects libraries which the
611# binary was not expecting. This is especially problematic for APEXes. The use
612# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
613# code into a process which wasn't expecting that code, with potentially
614# unexpected side effects. (b/140789528)
615neverallow init *:process noatsecure;
616
617# init can never add binder services
618neverallow init service_manager_type:service_manager { add find };
619# init can never list binder services
620neverallow init servicemanager:service_manager list;
621
622# Init should not be creating subdirectories in /data/local/tmp
623neverallow init shell_data_file:dir { write add_name remove_name };
624
625# Init should not access sysfs node that are not explicitly labeled.
626neverallow init sysfs:file { open read write };
627
628# No domain should be allowed to ptrace init.
629neverallow * init:process ptrace;
630
631# init owns the root of /data
632# TODO(b/140259336) We want to remove vendor_init
633# TODO(b/141108496) We want to remove toolbox
634neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
635