Lines Matching refs:init
1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
4 # The init domain is entered by execing init.
7 # /dev/__null__ node created by init.
8 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
11 # init direct restorecon calls.
14 allow init tmpfs:chr_file relabelfrom;
15 allow init kmsg_device:chr_file { write relabelto };
17 allow init properties_device:dir relabelto;
18 allow init properties_serial:file { write relabelto };
19 allow init property_type:file { create_file_perms relabelto };
21 allow init device:file relabelfrom;
22 allow init runtime_event_log_tags_file:file { open write setattr relabelto };
24 allow init { device socket_device }:dir relabelto;
26 allow init random_device:chr_file relabelto;
28 allow init tmpfs:{ chr_file blk_file } relabelfrom;
29 allow init tmpfs:blk_file getattr;
30 allow init block_device:{ dir blk_file lnk_file } relabelto;
31 allow init dm_device:{ chr_file blk_file } relabelto;
32 allow init kernel:fd use;
34 allow init tmpfs:lnk_file { getattr read relabelfrom };
35 allow init system_block_device:{ blk_file lnk_file } relabelto;
38 allow init self:capability sys_resource;
41 allow init tmpfs:file unlink;
44 allow init devpts:chr_file { read write open };
47 allow init fscklogs:file create_file_perms;
50 allow init tmpfs:chr_file write;
53 allow init console_device:chr_file rw_file_perms;
56 allow init tty_device:chr_file rw_file_perms;
59 allow init self:capability sys_admin;
62 allow init rootfs:dir create_dir_perms;
63 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postins…
66 allow init device:dir mounton;
69 allow init rootfs:lnk_file { create unlink };
72 allow init sysfs:dir mounton;
75 allow init tmpfs:dir create_dir_perms;
76 allow init tmpfs:dir mounton;
77 allow init cgroup:dir create_dir_perms;
78 r_dir_file(init, cgroup)
79 allow init cpuctl_device:dir { create mounton };
82 allow init configfs:dir mounton;
83 allow init configfs:dir create_dir_perms;
86 allow init tmpfs:dir relabelfrom;
89 allow init self:capability dac_override;
92 allow init self:capability sys_time;
94 allow init self:capability { sys_rawio mknod };
97 allow init dev_type:blk_file r_file_perms;
104 allow init fs_type:filesystem ~relabelto;
105 allow init unlabeled:filesystem ~relabelto;
106 allow init contextmount_type:filesystem relabelto;
109 allow init contextmount_type:dir r_dir_perms;
110 allow init contextmount_type:notdevfile_class_set r_file_perms;
114 allow init rootfs:{ dir file } relabelfrom;
116 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
118 # system/core/init.rc requires at least cache_file and data_file_type.
119 # init.<board>.rc files often include device-specific types, so
121 allow init self:capability { chown fowner fsetid };
123 allow init {
133 allow init {
146 allow init {
160 allow init {
173 allow init {
186 allow init cache_file:lnk_file r_file_perms;
188 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
189 allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
190 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
191 allow init dev_type:dir create_dir_perms;
192 allow init dev_type:lnk_file create;
195 allow init tracing_shell_writable:file w_file_perms;
198 allow init debugfs_tracing_instances:dir create_dir_perms;
199 allow init debugfs_tracing_instances:file w_file_perms;
200 allow init debugfs_wifi_tracing:file w_file_perms;
203 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
204 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
206 # init should not be able to read or open generic devices
208 allow init {
215 auditallow init {
238 allow init { dev_type -kmem_device -port_device }:chr_file setattr;
241 allow init unlabeled:dir { create_dir_perms relabelfrom };
242 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
246 allow init kernel:system syslog_mod;
247 allow init self:capability2 syslog;
250 allow init usermodehelper:file rw_file_perms;
251 allow init proc_security:file rw_file_perms;
254 r_dir_file(init, proc)
255 allow init proc:file w_file_perms;
258 r_dir_file(init, proc_net)
259 allow init proc_net:file w_file_perms;
260 allow init self:capability net_admin;
263 allow init proc_sysrq:file w_file_perms;
266 allow init proc_stat:file r_file_perms;
269 allow init self:capability sys_boot;
272 allow init sysfs_type:dir r_dir_perms;
273 allow init sysfs_type:lnk_file read;
274 allow init sysfs_type:file rw_file_perms;
278 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
279 allow init misc_logd_file:file { open create getattr setattr write };
282 allow init self:capability kill;
283 allow init domain:process { sigkill signal };
287 allow init keystore_data_file:dir { open create read getattr setattr search };
288 allow init keystore_data_file:file { getattr };
292 allow init vold_data_file:dir { open create read getattr setattr search };
293 allow init vold_data_file:file { getattr };
296 allow init shell_data_file:dir { open create read getattr setattr search };
297 allow init shell_data_file:file { getattr };
300 allow init self:capability { setuid setgid setpcap };
303 # we need to have following line to allow init to have access
305 r_dir_file(init, domain)
311 allow init self:process { setexec setfscreate setsockcreate };
314 allow init file_contexts_file:file r_file_perms;
317 allow init sepolicy_file:file r_file_perms;
320 selinux_check_access(init)
323 allow init kernel:security compute_create;
326 allow init domain:unix_stream_socket { create bind };
327 allow init domain:unix_dgram_socket { create bind };
330 allow init property_data_file:dir create_dir_perms;
331 allow init property_data_file:file create_file_perms;
334 allow init property_type:property_service set;
339 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
340 allow init self:capability audit_write;
343 allow init self:udp_socket { create ioctl };
344 # in addition to unpriv ioctls granted to all domains, init also needs:
345 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
346 allow init self:capability net_raw;
350 allow init kernel:process setsched;
354 allow init swap_block_device:blk_file rw_file_perms;
357 # system/core/init/init.c - mix_hwrng_into_linux_rng_action
358 allow init hw_random_device:chr_file r_file_perms;
363 # only ever accessed by init.
364 allow init device:file create_file_perms;
367 allow init self:capability sys_tty_config;
368 allow init keychord_device:chr_file rw_file_perms;
371 allow init dm_device:chr_file rw_file_perms;
372 allow init dm_device:blk_file rw_file_perms;
375 allow init metadata_block_device:blk_file rw_file_perms;
379 allow init pstorefs:dir search;
380 allow init pstorefs:file r_file_perms;
381 allow init kernel:system syslog_read;
384 allow init init:key { write search setattr };
386 # Allow init to create /data/unencrypted
387 allow init unencrypted_data_file:dir create_dir_perms;
389 # Allow init to write to /proc/sys/vm/overcommit_memory
390 allow init proc_overcommit_memory:file { write };
392 unix_socket_connect(init, vold, vold)
395 allow init misc_block_device:blk_file w_file_perms;
397 r_dir_file(init, system_file)
398 r_dir_file(init, vendor_file_type)
399 allow init proc_meminfo:file r_file_perms;
401 allow init system_data_file:file { getattr read };
402 allow init system_data_file:lnk_file r_file_perms;
404 # For init to be able to run shell scripts from vendor
405 allow init vendor_shell_exec:file execute;
411 # The init domain is only entered via an exec based transition from the
413 neverallow domain init:process dyntransition;
414 neverallow { domain -kernel } init:process transition;
415 neverallow init { file_type fs_type -init_exec }:file entrypoint;
418 neverallow init shell_data_file:lnk_file read;
419 neverallow init app_data_file:lnk_file read;
421 # init should never execute a program without changing to another domain.
422 neverallow init { file_type fs_type }:file execute_no_trans;
425 neverallow init service_manager_type:service_manager { add find };
426 neverallow init servicemanager:service_manager list;
429 neverallow init shell_data_file:dir { write add_name remove_name };