Lines Matching refs:init

1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
4 # The init domain is entered by execing init.
7 # /dev/__null__ node created by init.
8 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
11 # init direct restorecon calls.
14 allow init tmpfs:chr_file relabelfrom;
15 allow init kmsg_device:chr_file { write relabelto };
18   allow init kmsg_debug_device:chr_file { write relabelto };
21 allow init properties_device:dir relabelto;
22 allow init properties_serial:file { write relabelto };
23 allow init property_type:file { create_file_perms relabelto };
25 allow init properties_device:file create_file_perms;
26 allow init property_info:file relabelto;
28 allow init device:file relabelfrom;
29 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
31 allow init { device socket_device }:dir relabelto;
33 allow init random_device:chr_file relabelto;
35 allow init tmpfs:{ chr_file blk_file } relabelfrom;
36 allow init tmpfs:blk_file getattr;
37 allow init block_device:{ dir blk_file lnk_file } relabelto;
38 allow init dm_device:{ chr_file blk_file } relabelto;
39 allow init kernel:fd use;
41 allow init tmpfs:lnk_file { getattr read relabelfrom };
42 allow init {
49 allow init self:global_capability_class_set sys_resource;
52 allow init tmpfs:file unlink;
55 allow init devpts:chr_file { read write open };
58 allow init fscklogs:file create_file_perms;
61 allow init tmpfs:chr_file write;
64 allow init console_device:chr_file rw_file_perms;
67 allow init tty_device:chr_file rw_file_perms;
70 allow init self:global_capability_class_set sys_admin;
73 allow init rootfs:dir create_dir_perms;
74 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postins…
75 allow init cgroup_bpf:dir { create mounton };
78 allow init fs_bpf:dir mounton;
81 allow init device:dir mounton;
84 allow init rootfs:lnk_file { create unlink };
87 allow init sysfs:dir mounton;
90 allow init tmpfs:dir create_dir_perms;
91 allow init tmpfs:dir mounton;
92 allow init cgroup:dir create_dir_perms;
93 r_dir_file(init, cgroup)
94 allow init cpuctl_device:dir { create mounton };
97 allow init configfs:dir mounton;
98 allow init configfs:dir create_dir_perms;
99 allow init configfs:{ file lnk_file } create_file_perms;
102 allow init metadata_file:dir mounton;
105 allow init tmpfs:dir relabelfrom;
108 allow init self:global_capability_class_set dac_override;
111 allow init self:global_capability_class_set sys_time;
113 allow init self:global_capability_class_set { sys_rawio mknod };
116 allow init dev_type:blk_file r_file_perms;
123 allow init fs_type:filesystem ~relabelto;
124 allow init unlabeled:filesystem ~relabelto;
125 allow init contextmount_type:filesystem relabelto;
128 allow init contextmount_type:dir r_dir_perms;
129 allow init contextmount_type:notdevfile_class_set r_file_perms;
133 allow init rootfs:{ dir file } relabelfrom;
135 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
137 # system/core/init.rc requires at least cache_file and data_file_type.
138 # init.<board>.rc files often include device-specific types, so
140 allow init self:global_capability_class_set { chown fowner fsetid };
142 allow init {
153 allow init {
167 allow init {
182 allow init {
196 allow init {
210 allow init cache_file:lnk_file r_file_perms;
212 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
213 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr …
214 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
215 allow init dev_type:dir create_dir_perms;
216 allow init dev_type:lnk_file create;
219 allow init debugfs_tracing:file w_file_perms;
222 allow init debugfs_tracing_instances:dir create_dir_perms;
223 allow init debugfs_tracing_instances:file w_file_perms;
224 allow init debugfs_wifi_tracing:file w_file_perms;
227 allow init {
235 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
237 # init should not be able to read or open generic devices
239 allow init {
246 auditallow init {
269 allow init { dev_type -kmem_device -port_device }:chr_file setattr;
272 allow init unlabeled:dir { create_dir_perms relabelfrom };
273 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
277 allow init kernel:system syslog_mod;
278 allow init self:global_capability2_class_set syslog;
280 # init access to /proc.
281 r_dir_file(init, proc_net)
283 allow init {
293 allow init {
310 allow init {
314 # init access to /sys files.
315 allow init {
321 allow init {
325 allow init {
329 # Allow init to write to vibrator/trigger
330 allow init sysfs_vibrator:file w_file_perms;
332 # init chmod/chown access to /sys files.
333 allow init {
345 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
347 allow init self:global_capability_class_set net_admin;
350 allow init self:global_capability_class_set sys_boot;
354 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
355 allow init misc_logd_file:file { open create getattr setattr write };
358 allow init self:global_capability_class_set kill;
359 allow init domain:process { getpgid sigkill signal };
363 allow init keystore_data_file:dir { open create read getattr setattr search };
364 allow init keystore_data_file:file { getattr };
368 allow init vold_data_file:dir { open create read getattr setattr search };
369 allow init vold_data_file:file { getattr };
372 allow init shell_data_file:dir { open create read getattr setattr search };
373 allow init shell_data_file:file { getattr };
376 allow init self:global_capability_class_set { setuid setgid setpcap };
379 # we need to have following line to allow init to have access
381 r_dir_file(init, domain)
387 allow init self:process { setexec setfscreate setsockcreate };
390 allow init file_contexts_file:file r_file_perms;
393 allow init sepolicy_file:file r_file_perms;
396 selinux_check_access(init)
399 allow init kernel:security compute_create;
402 allow init domain:unix_stream_socket { create bind setopt };
403 allow init domain:unix_dgram_socket { create bind setopt };
406 allow init property_data_file:dir create_dir_perms;
407 allow init property_data_file:file create_file_perms;
410 allow init property_type:property_service set;
415 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
416 allow init self:global_capability_class_set audit_write;
419 allow init self:udp_socket { create ioctl };
420 # in addition to unpriv ioctls granted to all domains, init also needs:
421 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
422 allow init self:global_capability_class_set net_raw;
426 allow init kernel:process setsched;
430 allow init swap_block_device:blk_file rw_file_perms;
433 # system/core/init/init.c - mix_hwrng_into_linux_rng_action
434 allow init hw_random_device:chr_file r_file_perms;
439 # only ever accessed by init.
440 allow init device:file create_file_perms;
443 allow init self:global_capability_class_set sys_tty_config;
444 allow init keychord_device:chr_file rw_file_perms;
447 allow init dm_device:chr_file rw_file_perms;
448 allow init dm_device:blk_file rw_file_perms;
451 allow init metadata_block_device:blk_file rw_file_perms;
455 allow init pstorefs:dir search;
456 allow init pstorefs:file r_file_perms;
457 allow init kernel:system syslog_read;
460 allow init init:key { write search setattr };
462 # Allow init to create /data/unencrypted
463 allow init unencrypted_data_file:dir create_dir_perms;
465 # Allow init to write to /proc/sys/vm/overcommit_memory
466 allow init proc_overcommit_memory:file { write };
469 allow init misc_block_device:blk_file w_file_perms;
471 r_dir_file(init, system_file)
472 r_dir_file(init, vendor_file_type)
474 allow init system_data_file:file { getattr read };
475 allow init system_data_file:lnk_file r_file_perms;
477 # For init to be able to run shell scripts from vendor
478 allow init vendor_shell_exec:file execute;
481 allow init vold_metadata_file:dir create_dir_perms;
482 allow init vold_metadata_file:file getattr;
488 # The init domain is only entered via an exec based transition from the
490 neverallow domain init:process dyntransition;
491 neverallow { domain -kernel } init:process transition;
492 neverallow init { file_type fs_type -init_exec }:file entrypoint;
495 neverallow init shell_data_file:lnk_file read;
496 neverallow init app_data_file:lnk_file read;
498 # init should never execute a program without changing to another domain.
499 neverallow init { file_type fs_type }:file execute_no_trans;
502 neverallow init service_manager_type:service_manager { add find };
503 neverallow init servicemanager:service_manager list;
506 neverallow init shell_data_file:dir { write add_name remove_name };
509 neverallow init sysfs:file { open read write };