1# init is its own domain.
2type init, domain, mlstrustedsubject;
3type init_exec, system_file_type, exec_type, file_type;
4type init_tmpfs, file_type;
5
6# /dev/__null__ node created by init.
7allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
8
9#
10# init direct restorecon calls.
11#
12# /dev/kmsg
13allow init tmpfs:chr_file relabelfrom;
14allow init kmsg_device:chr_file { getattr write relabelto };
15# /dev/kmsg_debug
16userdebug_or_eng(`
17  allow init kmsg_debug_device:chr_file { open write relabelto };
18')
19# /dev/__properties__
20allow init properties_device:dir relabelto;
21allow init properties_serial:file { write relabelto };
22allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
23# /dev/__properties__/property_info
24allow init properties_device:file create_file_perms;
25allow init property_info:file relabelto;
26# /dev/event-log-tags
27allow init device:file relabelfrom;
28allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
29# /dev/socket
30allow init { device socket_device }:dir relabelto;
31# allow init to establish connection and communicate with lmkd
32unix_socket_connect(init, lmkd, lmkd)
33# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
34allow init { null_device ptmx_device random_device } : chr_file relabelto;
35# /dev/device-mapper, /dev/block(/.*)?
36allow init tmpfs:{ chr_file blk_file } relabelfrom;
37allow init tmpfs:blk_file getattr;
38allow init block_device:{ dir blk_file lnk_file } relabelto;
39allow init dm_device:{ chr_file blk_file } relabelto;
40allow init kernel:fd use;
41# restorecon for early mount device symlinks
42allow init tmpfs:lnk_file { getattr read relabelfrom };
43allow init {
44  metadata_block_device
45  misc_block_device
46  recovery_block_device
47  system_block_device
48  userdata_block_device
49}:{ blk_file lnk_file } relabelto;
50
51allow init super_block_device:lnk_file relabelto;
52
53# Create /mnt/sdcard -> /storage/self/primary symlink.
54allow init mnt_sdcard_file:lnk_file create;
55
56# setrlimit
57allow init self:global_capability_class_set sys_resource;
58
59# Remove /dev/.booting and load /debug_ramdisk/* files
60allow init tmpfs:file { getattr unlink };
61
62# Access pty created for fsck.
63allow init devpts:chr_file { read write open };
64
65# Create /dev/fscklogs files.
66allow init fscklogs:file create_file_perms;
67
68# Access /dev/__null__ node created prior to initial policy load.
69allow init tmpfs:chr_file write;
70
71# Access /dev/console.
72allow init console_device:chr_file rw_file_perms;
73
74# Access /dev/tty0.
75allow init tty_device:chr_file rw_file_perms;
76
77# Call mount(2).
78allow init self:global_capability_class_set sys_admin;
79
80# Call setns(2).
81allow init self:global_capability_class_set sys_chroot;
82
83# Create and mount on directories in /.
84allow init rootfs:dir create_dir_perms;
85allow init {
86    rootfs
87    cache_file
88    cgroup
89    linkerconfig_file
90    storage_file
91    mnt_user_file
92    system_data_file
93    system_data_root_file
94    system_file
95    vendor_file
96    postinstall_mnt_dir
97    mirror_data_file
98}:dir mounton;
99allow init cgroup_bpf:dir { create mounton };
100
101# Mount bpf fs on sys/fs/bpf
102allow init fs_bpf:dir mounton;
103
104# Mount on /dev/usb-ffs/adb.
105allow init device:dir mounton;
106
107# Mount tmpfs on /apex
108allow init apex_mnt_dir:dir mounton;
109
110# Bind-mount on /system/apex/com.android.art
111allow init art_apex_dir:dir mounton;
112
113# Create and remove symlinks in /.
114allow init rootfs:lnk_file { create unlink };
115
116# Mount debugfs on /sys/kernel/debug.
117allow init sysfs:dir mounton;
118
119# Create cgroups mount points in tmpfs and mount cgroups on them.
120allow init tmpfs:dir create_dir_perms;
121allow init tmpfs:dir mounton;
122allow init cgroup:dir create_dir_perms;
123allow init cgroup:file rw_file_perms;
124allow init cgroup_rc_file:file rw_file_perms;
125allow init cgroup_desc_file:file r_file_perms;
126allow init vendor_cgroup_desc_file:file r_file_perms;
127
128# /config
129allow init configfs:dir mounton;
130allow init configfs:dir create_dir_perms;
131allow init configfs:{ file lnk_file } create_file_perms;
132
133# /metadata
134allow init metadata_file:dir mounton;
135
136# Use tmpfs as /data, used for booting when /data is encrypted
137allow init tmpfs:dir relabelfrom;
138
139# Create directories under /dev/cpuctl after chowning it to system.
140allow init self:global_capability_class_set { dac_override dac_read_search };
141
142# Set system clock.
143allow init self:global_capability_class_set sys_time;
144
145allow init self:global_capability_class_set { sys_rawio mknod };
146
147# Mounting filesystems from block devices.
148allow init dev_type:blk_file r_file_perms;
149allowxperm init dev_type:blk_file ioctl BLKROSET;
150
151# Mounting filesystems.
152# Only allow relabelto for types used in context= mount options,
153# which should all be assigned the contextmount_type attribute.
154# This can be done in device-specific policy via type or typeattribute
155# declarations.
156allow init fs_type:filesystem ~relabelto;
157allow init unlabeled:filesystem ~relabelto;
158allow init contextmount_type:filesystem relabelto;
159
160# Allow read-only access to context= mounted filesystems.
161allow init contextmount_type:dir r_dir_perms;
162allow init contextmount_type:notdevfile_class_set r_file_perms;
163
164# restorecon /adb_keys or any other rootfs files and directories to a more
165# specific type.
166allow init rootfs:{ dir file } relabelfrom;
167
168# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
169# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
170# system/core/init.rc requires at least cache_file and data_file_type.
171# init.<board>.rc files often include device-specific types, so
172# we just allow all file types except /system files here.
173allow init self:global_capability_class_set { chown fowner fsetid };
174
175allow init {
176  file_type
177  -app_data_file
178  -exec_type
179  -misc_logd_file
180  -nativetest_data_file
181  -privapp_data_file
182  -system_app_data_file
183  -system_file_type
184  -vendor_file_type
185}:dir { create search getattr open read setattr ioctl };
186
187allow init {
188  file_type
189  -app_data_file
190  -exec_type
191  -iorapd_data_file
192  -credstore_data_file
193  -keystore_data_file
194  -misc_logd_file
195  -nativetest_data_file
196  -privapp_data_file
197  -shell_data_file
198  -system_app_data_file
199  -system_file_type
200  -vendor_file_type
201  -vold_data_file
202}:dir { write add_name remove_name rmdir relabelfrom };
203
204allow init {
205  file_type
206  -apex_info_file
207  -app_data_file
208  -exec_type
209  -gsi_data_file
210  -iorapd_data_file
211  -credstore_data_file
212  -keystore_data_file
213  -misc_logd_file
214  -nativetest_data_file
215  -privapp_data_file
216  -runtime_event_log_tags_file
217  -shell_data_file
218  -system_app_data_file
219  -system_file_type
220  -vendor_file_type
221  -vold_data_file
222}:file { create getattr open read write setattr relabelfrom unlink map };
223
224allow init {
225  file_type
226  -app_data_file
227  -exec_type
228  -gsi_data_file
229  -iorapd_data_file
230  -credstore_data_file
231  -keystore_data_file
232  -misc_logd_file
233  -nativetest_data_file
234  -privapp_data_file
235  -shell_data_file
236  -system_app_data_file
237  -system_file_type
238  -vendor_file_type
239  -vold_data_file
240}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
241
242allow init {
243  file_type
244  -apex_mnt_dir
245  -app_data_file
246  -exec_type
247  -gsi_data_file
248  -iorapd_data_file
249  -credstore_data_file
250  -keystore_data_file
251  -misc_logd_file
252  -nativetest_data_file
253  -privapp_data_file
254  -shell_data_file
255  -system_app_data_file
256  -system_file_type
257  -vendor_file_type
258  -vold_data_file
259}:lnk_file { create getattr setattr relabelfrom unlink };
260
261allow init cache_file:lnk_file r_file_perms;
262
263allow init {
264  file_type
265  -system_file_type
266  -vendor_file_type
267  -exec_type
268  -app_data_file
269  -privapp_data_file
270}:dir_file_class_set relabelto;
271
272allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
273allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
274allow init dev_type:dir create_dir_perms;
275allow init dev_type:lnk_file create;
276
277# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
278allow init debugfs_tracing:file w_file_perms;
279
280# Setup and control wifi event tracing (see wifi-events.rc)
281allow init debugfs_tracing_instances:dir create_dir_perms;
282allow init debugfs_tracing_instances:file w_file_perms;
283allow init debugfs_wifi_tracing:file w_file_perms;
284
285# chown/chmod on pseudo files.
286allow init {
287  fs_type
288  -contextmount_type
289  -keychord_device
290  -proc_type
291  -sdcard_type
292  -sysfs_type
293  -rootfs
294}:file { open read setattr };
295allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
296
297allow init {
298  binder_device
299  console_device
300  devpts
301  dm_device
302  hwbinder_device
303  hw_random_device
304  input_device
305  kmsg_device
306  null_device
307  owntty_device
308  pmsg_device
309  ptmx_device
310  random_device
311  tty_device
312  zero_device
313}:chr_file { read open };
314
315# chown/chmod on devices.
316allow init {
317  dev_type
318  -keychord_device
319  -port_device
320}:chr_file setattr;
321
322# Unlabeled file access for upgrades from 4.2.
323allow init unlabeled:dir { create_dir_perms relabelfrom };
324allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
325
326# Any operation that can modify the kernel ring buffer, e.g. clear
327# or a read that consumes the messages that were read.
328allow init kernel:system syslog_mod;
329allow init self:global_capability2_class_set syslog;
330
331# init access to /proc.
332r_dir_file(init, proc_net_type)
333allow init proc_filesystems:file r_file_perms;
334
335userdebug_or_eng(`
336  # Overlayfs workdir write access check during mount to permit remount,rw
337  allow init overlayfs_file:dir { relabelfrom mounton write };
338  allow init overlayfs_file:file { append };
339  allow init system_block_device:blk_file { write };
340')
341
342allow init {
343  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
344  proc_cmdline
345  proc_diskstats
346  proc_kmsg # Open /proc/kmsg for logd service.
347  proc_meminfo
348  proc_stat # Read /proc/stat for bootchart.
349  proc_uptime
350  proc_version
351}:file r_file_perms;
352
353allow init {
354  proc_abi
355  proc_dirty
356  proc_hostname
357  proc_hung_task
358  proc_extra_free_kbytes
359  proc_net_type
360  proc_max_map_count
361  proc_min_free_order_shift
362  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
363  proc_panic
364  proc_page_cluster
365  proc_perf
366  proc_sched
367  proc_sysrq
368}:file w_file_perms;
369
370allow init {
371  proc_security
372}:file rw_file_perms;
373
374# init chmod/chown access to /proc files.
375allow init {
376  proc_cmdline
377  proc_kmsg
378  proc_net
379  proc_pagetypeinfo
380  proc_qtaguid_stat
381  proc_slabinfo
382  proc_sysrq
383  proc_qtaguid_ctrl
384  proc_vmallocinfo
385}:file setattr;
386
387# init access to /sys files.
388allow init {
389  sysfs_android_usb
390  sysfs_dm_verity
391  sysfs_leds
392  sysfs_power
393  sysfs_fs_f2fs
394  sysfs_dm
395}:file w_file_perms;
396
397allow init {
398  sysfs_dt_firmware_android
399  sysfs_fs_ext4_features
400}:file r_file_perms;
401
402allow init {
403  sysfs_zram
404}:file rw_file_perms;
405
406# allow init to create loop devices with /dev/loop-control
407allow init loop_control_device:chr_file rw_file_perms;
408allow init loop_device:blk_file rw_file_perms;
409allowxperm init loop_device:blk_file ioctl {
410  LOOP_SET_FD
411  LOOP_CLR_FD
412  LOOP_CTL_GET_FREE
413  LOOP_SET_BLOCK_SIZE
414  LOOP_SET_DIRECT_IO
415};
416
417# Allow init to write to vibrator/trigger
418allow init sysfs_vibrator:file w_file_perms;
419
420# init chmod/chown access to /sys files.
421allow init {
422  sysfs_android_usb
423  sysfs_devices_system_cpu
424  sysfs_ipv4
425  sysfs_leds
426  sysfs_lowmemorykiller
427  sysfs_power
428  sysfs_vibrator
429  sysfs_wake_lock
430  sysfs_zram
431}:file setattr;
432
433# Set usermodehelpers.
434allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
435
436allow init self:global_capability_class_set net_admin;
437
438# Reboot.
439allow init self:global_capability_class_set sys_boot;
440
441# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
442# Init will also walk through the directory as part of a recursive restorecon.
443allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
444allow init misc_logd_file:file { open create getattr setattr write };
445
446# Support "adb shell stop"
447allow init self:global_capability_class_set kill;
448allow init domain:process { getpgid sigkill signal };
449
450# Init creates credstore's directory on boot, and walks through
451# the directory as part of a recursive restorecon.
452allow init credstore_data_file:dir { open create read getattr setattr search };
453allow init credstore_data_file:file { getattr };
454
455# Init creates keystore's directory on boot, and walks through
456# the directory as part of a recursive restorecon.
457allow init keystore_data_file:dir { open create read getattr setattr search };
458allow init keystore_data_file:file { getattr };
459
460# Init creates vold's directory on boot, and walks through
461# the directory as part of a recursive restorecon.
462allow init vold_data_file:dir { open create read getattr setattr search };
463allow init vold_data_file:file { getattr };
464
465# Init creates /data/local/tmp at boot
466allow init shell_data_file:dir { open create read getattr setattr search };
467allow init shell_data_file:file { getattr };
468
469# Set UID, GID, and adjust capability bounding set for services.
470allow init self:global_capability_class_set { setuid setgid setpcap };
471
472# For bootchart to read the /proc/$pid/cmdline file of each process,
473# we need to have following line to allow init to have access
474# to different domains.
475r_dir_file(init, domain)
476
477# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
478# setexec is for services with seclabel options.
479# setfscreate is for labeling directories and socket files.
480# setsockcreate is for labeling local/unix domain sockets.
481allow init self:process { setexec setfscreate setsockcreate };
482
483# Get file context
484allow init file_contexts_file:file r_file_perms;
485
486# sepolicy access
487allow init sepolicy_file:file r_file_perms;
488
489# Perform SELinux access checks on setting properties.
490selinux_check_access(init)
491
492# Ask the kernel for the new context on services to label their sockets.
493allow init kernel:security compute_create;
494
495# Create sockets for the services.
496allow init domain:unix_stream_socket { create bind setopt };
497allow init domain:unix_dgram_socket { create bind setopt };
498
499# Create /data/property and files within it.
500allow init property_data_file:dir create_dir_perms;
501allow init property_data_file:file create_file_perms;
502
503# Set any property.
504allow init property_type:property_service set;
505
506# Send an SELinux userspace denial to the kernel audit subsystem,
507# so it can be picked up and processed by logd. These denials are
508# generated when an attempt to set a property is denied by policy.
509allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
510allow init self:global_capability_class_set audit_write;
511
512# Run "ifup lo" to bring up the localhost interface
513allow init self:udp_socket { create ioctl };
514# in addition to unpriv ioctls granted to all domains, init also needs:
515allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
516allow init self:global_capability_class_set net_raw;
517
518# Set scheduling info for psi monitor thread.
519# TODO: delete or revise this line b/131761776
520allow init kernel:process { getsched setsched };
521
522# swapon() needs write access to swap device
523# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
524allow init swap_block_device:blk_file rw_file_perms;
525
526# Read from /dev/hw_random if present.
527# system/core/init/init.c - mix_hwrng_into_linux_rng_action
528allow init hw_random_device:chr_file r_file_perms;
529
530# Create and access /dev files without a specific type,
531# e.g. /dev/.coldboot_done, /dev/.booting
532# TODO:  Move these files into their own type unless they are
533# only ever accessed by init.
534allow init device:file create_file_perms;
535
536# keychord retrieval from /dev/input/ devices
537allow init input_device:dir r_dir_perms;
538allow init input_device:chr_file rw_file_perms;
539
540# Access device mapper for setting up dm-verity
541allow init dm_device:chr_file rw_file_perms;
542allow init dm_device:blk_file rw_file_perms;
543
544# Access metadata block device for storing dm-verity state
545allow init metadata_block_device:blk_file rw_file_perms;
546
547# Read /sys/fs/pstore/console-ramoops to detect restarts caused
548# by dm-verity detecting corrupted blocks
549allow init pstorefs:dir search;
550allow init pstorefs:file r_file_perms;
551allow init kernel:system syslog_read;
552
553# linux keyring configuration
554allow init init:key { write search setattr };
555
556# Allow init to create /data/unencrypted
557allow init unencrypted_data_file:dir create_dir_perms;
558
559# Set encryption policy on dirs in /data
560allowxperm init { data_file_type unlabeled }:dir ioctl {
561  FS_IOC_GET_ENCRYPTION_POLICY
562  FS_IOC_SET_ENCRYPTION_POLICY
563};
564
565# Raw writes to misc block device
566allow init misc_block_device:blk_file w_file_perms;
567
568r_dir_file(init, system_file)
569r_dir_file(init, vendor_file_type)
570
571allow init system_data_file:file { getattr read };
572allow init system_data_file:lnk_file r_file_perms;
573
574# For init to be able to run shell scripts from vendor
575allow init vendor_shell_exec:file execute;
576
577# Metadata setup
578allow init vold_metadata_file:dir create_dir_perms;
579allow init vold_metadata_file:file getattr;
580allow init metadata_bootstat_file:dir create_dir_perms;
581allow init metadata_bootstat_file:file w_file_perms;
582
583# Allow init to touch PSI monitors
584allow init proc_pressure_mem:file { rw_file_perms setattr };
585
586# init is using bootstrap bionic
587allow init system_bootstrap_lib_file:dir r_dir_perms;
588allow init system_bootstrap_lib_file:file { execute read open getattr map };
589
590# stat the root dir of fuse filesystems (for the mount handler)
591allow init fuse:dir { search getattr };
592
593###
594### neverallow rules
595###
596
597# The init domain is only entered via an exec based transition from the
598# kernel domain, never via setcon().
599neverallow domain init:process dyntransition;
600neverallow { domain -kernel } init:process transition;
601neverallow init { file_type fs_type -init_exec }:file entrypoint;
602
603# Never read/follow symlinks created by shell or untrusted apps.
604neverallow init shell_data_file:lnk_file read;
605neverallow init { app_data_file privapp_data_file }:lnk_file read;
606
607# init should never execute a program without changing to another domain.
608neverallow init { file_type fs_type }:file execute_no_trans;
609
610# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
611# when init is executing other binaries. The use of LD_PRELOAD for init spawned
612# services is generally considered a no-no, as it injects libraries which the
613# binary was not expecting. This is especially problematic for APEXes. The use
614# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
615# code into a process which wasn't expecting that code, with potentially
616# unexpected side effects. (b/140789528)
617neverallow init *:process noatsecure;
618
619# init can never add binder services
620neverallow init service_manager_type:service_manager { add find };
621# init can never list binder services
622neverallow init servicemanager:service_manager list;
623
624# Init should not be creating subdirectories in /data/local/tmp
625neverallow init shell_data_file:dir { write add_name remove_name };
626
627# Init should not access sysfs node that are not explicitly labeled.
628neverallow init sysfs:file { open read write };
629
630# No domain should be allowed to ptrace init.
631neverallow * init:process ptrace;
632
633# init owns the root of /data
634# TODO(b/140259336) We want to remove vendor_init
635# TODO(b/141108496) We want to remove toolbox
636neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
637