Lines Matching refs:init

1 # init is its own domain.
2 type init, domain, mlstrustedsubject;
6 # /dev/__null__ node created by init.
7 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
10 # init direct restorecon calls.
13 allow init tmpfs:chr_file relabelfrom;
14 allow init kmsg_device:chr_file { getattr write relabelto };
17   allow init kmsg_debug_device:chr_file { open write relabelto };
20 allow init properties_device:dir relabelto;
21 allow init properties_serial:file { write relabelto };
22 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink…
24 allow init properties_device:file create_file_perms;
25 allow init property_info:file relabelto;
27 allow init device:file relabelfrom;
28 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
30 allow init { device socket_device }:dir relabelto;
31 # allow init to establish connection and communicate with lmkd
32 unix_socket_connect(init, lmkd, lmkd)
33 # Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
34 allow init { null_device ptmx_device random_device } : chr_file relabelto;
36 allow init tmpfs:{ chr_file blk_file } relabelfrom;
37 allow init tmpfs:blk_file getattr;
38 allow init block_device:{ dir blk_file lnk_file } relabelto;
39 allow init dm_device:{ chr_file blk_file } relabelto;
40 allow init kernel:fd use;
42 allow init tmpfs:lnk_file { getattr read relabelfrom };
43 allow init {
51 allow init super_block_device:lnk_file relabelto;
54 allow init mnt_sdcard_file:lnk_file create;
57 allow init self:global_capability_class_set sys_resource;
60 allow init tmpfs:file { getattr unlink };
63 allow init devpts:chr_file { read write open };
66 allow init fscklogs:file create_file_perms;
69 allow init tmpfs:chr_file write;
72 allow init console_device:chr_file rw_file_perms;
75 allow init tty_device:chr_file rw_file_perms;
78 allow init self:global_capability_class_set sys_admin;
81 allow init self:global_capability_class_set sys_chroot;
84 allow init rootfs:dir create_dir_perms;
85 allow init {
99 allow init cgroup_bpf:dir { create mounton };
102 allow init fs_bpf:dir mounton;
105 allow init device:dir mounton;
108 allow init apex_mnt_dir:dir mounton;
111 allow init art_apex_dir:dir mounton;
114 allow init rootfs:lnk_file { create unlink };
117 allow init sysfs:dir mounton;
120 allow init tmpfs:dir create_dir_perms;
121 allow init tmpfs:dir mounton;
122 allow init cgroup:dir create_dir_perms;
123 allow init cgroup:file rw_file_perms;
124 allow init cgroup_rc_file:file rw_file_perms;
125 allow init cgroup_desc_file:file r_file_perms;
126 allow init vendor_cgroup_desc_file:file r_file_perms;
129 allow init configfs:dir mounton;
130 allow init configfs:dir create_dir_perms;
131 allow init configfs:{ file lnk_file } create_file_perms;
134 allow init metadata_file:dir mounton;
137 allow init tmpfs:dir relabelfrom;
140 allow init self:global_capability_class_set { dac_override dac_read_search };
143 allow init self:global_capability_class_set sys_time;
145 allow init self:global_capability_class_set { sys_rawio mknod };
148 allow init dev_type:blk_file r_file_perms;
149 allowxperm init dev_type:blk_file ioctl BLKROSET;
156 allow init fs_type:filesystem ~relabelto;
157 allow init unlabeled:filesystem ~relabelto;
158 allow init contextmount_type:filesystem relabelto;
161 allow init contextmount_type:dir r_dir_perms;
162 allow init contextmount_type:notdevfile_class_set r_file_perms;
166 allow init rootfs:{ dir file } relabelfrom;
168 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
170 # system/core/init.rc requires at least cache_file and data_file_type.
171 # init.<board>.rc files often include device-specific types, so
173 allow init self:global_capability_class_set { chown fowner fsetid };
175 allow init {
187 allow init {
204 allow init {
223 allow init {
241 allow init {
260 allow init cache_file:lnk_file r_file_perms;
262 allow init {
271 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr …
272 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
273 allow init dev_type:dir create_dir_perms;
274 allow init dev_type:lnk_file create;
277 allow init debugfs_tracing:file w_file_perms;
280 allow init debugfs_tracing_instances:dir create_dir_perms;
281 allow init debugfs_tracing_instances:file w_file_perms;
282 allow init debugfs_wifi_tracing:file w_file_perms;
285 allow init {
294 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
296 allow init {
315 allow init {
322 allow init unlabeled:dir { create_dir_perms relabelfrom };
323 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
327 allow init kernel:system syslog_mod;
328 allow init self:global_capability2_class_set syslog;
330 # init access to /proc.
331 r_dir_file(init, proc_net_type)
332 allow init proc_filesystems:file r_file_perms;
336   allow init overlayfs_file:dir { relabelfrom mounton write };
337   allow init overlayfs_file:file { append };
338   allow init system_block_device:blk_file { write };
341 allow init {
352 allow init {
369 allow init {
373 # init chmod/chown access to /proc files.
374 allow init {
385 # init access to /sys files.
386 allow init {
395 allow init {
400 allow init {
404 # allow init to create loop devices with /dev/loop-control
405 allow init loop_control_device:chr_file rw_file_perms;
406 allow init loop_device:blk_file rw_file_perms;
407 allowxperm init loop_device:blk_file ioctl {
415 # Allow init to write to vibrator/trigger
416 allow init sysfs_vibrator:file w_file_perms;
418 # init chmod/chown access to /sys files.
419 allow init {
432 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
434 allow init self:global_capability_class_set net_admin;
437 allow init self:global_capability_class_set sys_boot;
441 allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
442 allow init misc_logd_file:file { open create getattr setattr write };
445 allow init self:global_capability_class_set kill;
446 allow init domain:process { getpgid sigkill signal };
450 allow init credstore_data_file:dir { open create read getattr setattr search };
451 allow init credstore_data_file:file { getattr };
455 allow init keystore_data_file:dir { open create read getattr setattr search };
456 allow init keystore_data_file:file { getattr };
460 allow init vold_data_file:dir { open create read getattr setattr search };
461 allow init vold_data_file:file { getattr };
464 allow init shell_data_file:dir { open create read getattr setattr search };
465 allow init shell_data_file:file { getattr };
468 allow init self:global_capability_class_set { setuid setgid setpcap };
471 # we need to have following line to allow init to have access
473 r_dir_file(init, domain)
479 allow init self:process { setexec setfscreate setsockcreate };
482 allow init file_contexts_file:file r_file_perms;
485 allow init sepolicy_file:file r_file_perms;
488 selinux_check_access(init)
491 allow init kernel:security compute_create;
494 allow init domain:unix_stream_socket { create bind setopt };
495 allow init domain:unix_dgram_socket { create bind setopt };
498 allow init property_data_file:dir create_dir_perms;
499 allow init property_data_file:file create_file_perms;
502 allow init property_type:property_service set;
507 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
508 allow init self:global_capability_class_set audit_write;
511 allow init self:udp_socket { create ioctl };
512 # in addition to unpriv ioctls granted to all domains, init also needs:
513 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
514 allow init self:global_capability_class_set net_raw;
518 allow init kernel:process { getsched setsched };
522 allow init swap_block_device:blk_file rw_file_perms;
525 # system/core/init/init.c - mix_hwrng_into_linux_rng_action
526 allow init hw_random_device:chr_file r_file_perms;
531 # only ever accessed by init.
532 allow init device:file create_file_perms;
535 allow init input_device:dir r_dir_perms;
536 allow init input_device:chr_file rw_file_perms;
539 allow init dm_device:chr_file rw_file_perms;
540 allow init dm_device:blk_file rw_file_perms;
543 allow init metadata_block_device:blk_file rw_file_perms;
547 allow init pstorefs:dir search;
548 allow init pstorefs:file r_file_perms;
549 allow init kernel:system syslog_read;
552 allow init init:key { write search setattr };
554 # Allow init to create /data/unencrypted
555 allow init unencrypted_data_file:dir create_dir_perms;
558 allowxperm init { data_file_type unlabeled }:dir ioctl {
564 allow init misc_block_device:blk_file w_file_perms;
566 r_dir_file(init, system_file)
567 r_dir_file(init, vendor_file_type)
569 allow init system_data_file:file { getattr read };
570 allow init system_data_file:lnk_file r_file_perms;
572 # For init to be able to run shell scripts from vendor
573 allow init vendor_shell_exec:file execute;
576 allow init vold_metadata_file:dir create_dir_perms;
577 allow init vold_metadata_file:file getattr;
578 allow init metadata_bootstat_file:dir create_dir_perms;
579 allow init metadata_bootstat_file:file w_file_perms;
581 # Allow init to touch PSI monitors
582 allow init proc_pressure_mem:file { rw_file_perms setattr };
584 # init is using bootstrap bionic
585 allow init system_bootstrap_lib_file:dir r_dir_perms;
586 allow init system_bootstrap_lib_file:file { execute read open getattr map };
589 allow init fuse:dir { search getattr };
595 # The init domain is only entered via an exec based transition from the
597 neverallow domain init:process dyntransition;
598 neverallow { domain -kernel } init:process transition;
599 neverallow init { file_type fs_type -init_exec }:file entrypoint;
602 neverallow init shell_data_file:lnk_file read;
603 neverallow init { app_data_file privapp_data_file }:lnk_file read;
605 # init should never execute a program without changing to another domain.
606 neverallow init { file_type fs_type }:file execute_no_trans;
609 # when init is executing other binaries. The use of LD_PRELOAD for init spawned
615 neverallow init *:process noatsecure;
617 # init can never add binder services
618 neverallow init service_manager_type:service_manager { add find };
619 # init can never list binder services
620 neverallow init servicemanager:service_manager list;
623 neverallow init shell_data_file:dir { write add_name remove_name };
626 neverallow init sysfs:file { open read write };
628 # No domain should be allowed to ptrace init.
629 neverallow * init:process ptrace;
631 # init owns the root of /data
634 neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name …