1# vendor_init is its own domain.
2type vendor_init, domain, mlstrustedsubject;
3
4# Communication to the main init process
5allow vendor_init init:unix_stream_socket { read write };
6
7# Logging to kmsg
8allow vendor_init kmsg_device:chr_file { open getattr write };
9
10# Mount on /dev/usb-ffs/adb.
11allow vendor_init device:dir mounton;
12
13# Create and remove symlinks in /.
14allow vendor_init rootfs:lnk_file { create unlink };
15
16# Create cgroups mount points in tmpfs and mount cgroups on them.
17allow vendor_init cgroup:dir create_dir_perms;
18allow vendor_init cgroup:file w_file_perms;
19
20# /config
21allow vendor_init configfs:dir mounton;
22allow vendor_init configfs:dir create_dir_perms;
23allow vendor_init configfs:{ file lnk_file } create_file_perms;
24
25# Create directories under /dev/cpuctl after chowning it to system.
26allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
27
28# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
29# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
30# system/core/init.rc requires at least cache_file and data_file_type.
31# init.<board>.rc files often include device-specific types, so
32# we just allow all file types except /system files here.
33allow vendor_init self:global_capability_class_set { chown fowner fsetid };
34
35# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
36allow vendor_init unencrypted_data_file:dir search;
37allow vendor_init unencrypted_data_file:file r_file_perms;
38
39# Set encryption policy on dirs in /data
40allowxperm vendor_init data_file_type:dir ioctl {
41  FS_IOC_GET_ENCRYPTION_POLICY
42  FS_IOC_SET_ENCRYPTION_POLICY
43};
44
45allow vendor_init system_data_file:dir getattr;
46
47allow vendor_init {
48  file_type
49  -core_data_file_type
50  -exec_type
51  -system_file_type
52  -mnt_product_file
53  -password_slot_metadata_file
54  -ota_metadata_file
55  -unlabeled
56  -vendor_file_type
57  -vold_metadata_file
58  -gsi_metadata_file
59  -apex_metadata_file
60}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
61
62allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
63
64allow vendor_init {
65  file_type
66  -core_data_file_type
67  -exec_type
68  -password_slot_metadata_file
69  -ota_metadata_file
70  -runtime_event_log_tags_file
71  -system_file_type
72  -unlabeled
73  -vendor_file_type
74  -vold_metadata_file
75  -gsi_metadata_file
76  -apex_metadata_file
77  -apex_info_file
78}:file { create getattr open read write setattr relabelfrom unlink map };
79
80allow vendor_init {
81  file_type
82  -core_data_file_type
83  -exec_type
84  -password_slot_metadata_file
85  -ota_metadata_file
86  -system_file_type
87  -unlabeled
88  -vendor_file_type
89  -vold_metadata_file
90  -gsi_metadata_file
91  -apex_metadata_file
92}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
93
94allow vendor_init {
95  file_type
96  -apex_mnt_dir
97  -core_data_file_type
98  -exec_type
99  -password_slot_metadata_file
100  -ota_metadata_file
101  -system_file_type
102  -unlabeled
103  -vendor_file_type
104  -vold_metadata_file
105  -gsi_metadata_file
106  -apex_metadata_file
107}:lnk_file { create getattr setattr relabelfrom unlink };
108
109allow vendor_init {
110  file_type
111  -core_data_file_type
112  -exec_type
113  -mnt_product_file
114  -password_slot_metadata_file
115  -ota_metadata_file
116  -system_file_type
117  -vendor_file_type
118  -vold_metadata_file
119  -gsi_metadata_file
120  -apex_metadata_file
121}:dir_file_class_set relabelto;
122
123allow vendor_init dev_type:dir create_dir_perms;
124allow vendor_init dev_type:lnk_file create;
125
126# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
127allow vendor_init debugfs_tracing:file w_file_perms;
128
129# chown/chmod on pseudo files.
130allow vendor_init {
131  fs_type
132  -contextmount_type
133  -keychord_device
134  -sdcard_type
135  -rootfs
136  -proc_uid_time_in_state
137  -proc_uid_concurrent_active_time
138  -proc_uid_concurrent_policy_time
139}:file { open read setattr map };
140
141allow vendor_init {
142  fs_type
143  -contextmount_type
144  -sdcard_type
145  -rootfs
146  -proc_uid_time_in_state
147  -proc_uid_concurrent_active_time
148  -proc_uid_concurrent_policy_time
149}:dir  { open read setattr search };
150
151# chown/chmod on devices, e.g. /dev/ttyHS0
152allow vendor_init {
153  dev_type
154  -keychord_device
155  -port_device
156  -lowpan_device
157  -hw_random_device
158}:chr_file setattr;
159
160allow vendor_init dev_type:blk_file getattr;
161
162# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
163r_dir_file(vendor_init, proc_net_type)
164allow vendor_init proc_net_type:file w_file_perms;
165allow vendor_init self:global_capability_class_set net_admin;
166
167# Write to /proc/sys/vm/page-cluster
168allow vendor_init proc_page_cluster:file w_file_perms;
169
170# Write to sysfs nodes.
171allow vendor_init sysfs_type:dir r_dir_perms;
172allow vendor_init sysfs_type:lnk_file read;
173allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
174
175# setfscreatecon() for labeling directories and socket files.
176allow vendor_init self:process { setfscreate };
177
178r_dir_file(vendor_init, vendor_file_type)
179
180# Vendor init can read properties
181allow vendor_init serialno_prop:file { getattr open read map };
182
183# Vendor init can perform operations on trusted and security Extended Attributes
184allow vendor_init self:global_capability_class_set sys_admin;
185
186# Raw writes to misc block device
187allow vendor_init misc_block_device:blk_file w_file_perms;
188
189# vendor_init is using bootstrap bionic
190allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
191allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
192
193# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
194# the dynamic linker and shared libraries.
195recovery_only(`
196  allow vendor_init rootfs:file { r_file_perms execute };
197')
198
199not_compatible_property(`
200    set_prop(vendor_init, {
201      property_type
202      -system_internal_property_type
203      -system_restricted_property_type
204    })
205')
206
207# Get file context
208allow vendor_init file_contexts_file:file r_file_perms;
209
210set_prop(vendor_init, apk_verity_prop)
211set_prop(vendor_init, bluetooth_a2dp_offload_prop)
212set_prop(vendor_init, bluetooth_audio_hal_prop)
213set_prop(vendor_init, cpu_variant_prop)
214set_prop(vendor_init, dalvik_runtime_prop)
215set_prop(vendor_init, debug_prop)
216set_prop(vendor_init, exported_bluetooth_prop)
217set_prop(vendor_init, exported_camera_prop)
218set_prop(vendor_init, exported_config_prop)
219set_prop(vendor_init, exported_default_prop)
220set_prop(vendor_init, exported_overlay_prop)
221set_prop(vendor_init, exported_pm_prop)
222set_prop(vendor_init, exported2_system_prop)
223set_prop(vendor_init, exported3_radio_prop)
224set_prop(vendor_init, ffs_control_prop)
225set_prop(vendor_init, incremental_prop)
226set_prop(vendor_init, lmkd_prop)
227set_prop(vendor_init, logd_prop)
228set_prop(vendor_init, log_tag_prop)
229set_prop(vendor_init, log_prop)
230set_prop(vendor_init, rebootescrow_hal_prop)
231set_prop(vendor_init, serialno_prop)
232set_prop(vendor_init, surfaceflinger_color_prop)
233set_prop(vendor_init, usb_control_prop)
234set_prop(vendor_init, userspace_reboot_config_prop)
235set_prop(vendor_init, vehicle_hal_prop)
236set_prop(vendor_init, vendor_default_prop)
237set_prop(vendor_init, vendor_security_patch_level_prop)
238set_prop(vendor_init, vndk_prop)
239set_prop(vendor_init, virtual_ab_prop)
240set_prop(vendor_init, wifi_hal_prop)
241set_prop(vendor_init, wifi_log_prop)
242set_prop(vendor_init, zram_control_prop)
243
244get_prop(vendor_init, boot_status_prop)
245get_prop(vendor_init, exported3_system_prop)
246get_prop(vendor_init, ota_prop)
247get_prop(vendor_init, provisioned_prop)
248get_prop(vendor_init, retaildemo_prop)
249get_prop(vendor_init, theme_prop)
250
251
252###
253### neverallow rules
254###
255
256# Vendor init shouldn't communicate with any vendor process, nor most system processes.
257neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
258
259# The vendor_init domain is only entered via an exec based transition from the
260# init domain, never via setcon().
261neverallow domain vendor_init:process dyntransition;
262neverallow { domain -init } vendor_init:process transition;
263neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
264
265# Never read/follow symlinks created by shell or untrusted apps.
266neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
267neverallow vendor_init shell_data_file:lnk_file read;
268# Init should not be creating subdirectories in /data/local/tmp
269neverallow vendor_init shell_data_file:dir { write add_name remove_name };
270
271# init should never execute a program without changing to another domain.
272neverallow vendor_init { file_type fs_type }:file execute_no_trans;
273
274# Init never adds or uses services via service_manager.
275neverallow vendor_init service_manager_type:service_manager { add find };
276neverallow vendor_init servicemanager:service_manager list;
277
278# vendor_init should never be ptraced
279neverallow * vendor_init:process ptrace;
280