2015-04-24 11:38:10 -07:00
|
|
|
# init is its own domain.
|
2017-02-10 12:06:46 -08:00
|
|
|
type init, domain, mlstrustedsubject;
|
2018-09-27 10:21:37 -07:00
|
|
|
type init_exec, system_file_type, exec_type, file_type;
|
2019-01-23 15:07:40 -08:00
|
|
|
type init_tmpfs, file_type;
|
2015-04-24 11:38:10 -07:00
|
|
|
|
|
|
|
|
# /dev/__null__ node created by init.
|
2017-01-20 14:26:05 -08:00
|
|
|
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
|
2015-04-24 11:38:10 -07:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# init direct restorecon calls.
|
|
|
|
|
#
|
2016-08-11 09:16:39 -07:00
|
|
|
# /dev/kmsg
|
|
|
|
|
allow init tmpfs:chr_file relabelfrom;
|
|
|
|
|
allow init kmsg_device:chr_file { write relabelto };
|
2017-03-28 13:09:37 -07:00
|
|
|
# /dev/kmsg_debug
|
|
|
|
|
userdebug_or_eng(`
|
|
|
|
|
allow init kmsg_debug_device:chr_file { write relabelto };
|
|
|
|
|
')
|
2015-04-24 11:38:10 -07:00
|
|
|
# /dev/__properties__
|
2015-12-01 16:58:27 -08:00
|
|
|
allow init properties_device:dir relabelto;
|
|
|
|
|
allow init properties_serial:file { write relabelto };
|
2018-10-10 09:02:12 -07:00
|
|
|
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
|
2017-11-16 14:25:02 -08:00
|
|
|
# /dev/__properties__/property_info
|
|
|
|
|
allow init properties_device:file create_file_perms;
|
|
|
|
|
allow init property_info:file relabelto;
|
2016-09-13 09:33:35 -07:00
|
|
|
# /dev/event-log-tags
|
|
|
|
|
allow init device:file relabelfrom;
|
2017-11-30 15:38:19 -08:00
|
|
|
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
2016-08-11 09:16:39 -07:00
|
|
|
# /dev/socket
|
|
|
|
|
allow init { device socket_device }:dir relabelto;
|
2018-07-30 16:24:29 -07:00
|
|
|
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
|
|
|
|
|
allow init { null_device ptmx_device random_device } : chr_file relabelto;
|
2016-01-28 01:40:42 -08:00
|
|
|
# /dev/device-mapper, /dev/block(/.*)?
|
|
|
|
|
allow init tmpfs:{ chr_file blk_file } relabelfrom;
|
|
|
|
|
allow init tmpfs:blk_file getattr;
|
2017-02-14 15:56:46 -08:00
|
|
|
allow init block_device:{ dir blk_file lnk_file } relabelto;
|
2016-01-28 01:40:42 -08:00
|
|
|
allow init dm_device:{ chr_file blk_file } relabelto;
|
2016-09-09 16:27:17 -07:00
|
|
|
allow init kernel:fd use;
|
2017-02-14 15:56:46 -08:00
|
|
|
# restorecon for early mount device symlinks
|
|
|
|
|
allow init tmpfs:lnk_file { getattr read relabelfrom };
|
2018-03-15 00:39:00 -07:00
|
|
|
allow init {
|
2019-01-14 12:14:35 -08:00
|
|
|
metadata_block_device
|
2018-03-15 00:39:00 -07:00
|
|
|
misc_block_device
|
|
|
|
|
recovery_block_device
|
|
|
|
|
system_block_device
|
2019-01-03 18:25:51 -08:00
|
|
|
userdata_block_device
|
2018-03-15 00:39:00 -07:00
|
|
|
}:{ blk_file lnk_file } relabelto;
|
2015-04-24 11:38:10 -07:00
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# setrlimit
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set sys_resource;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
|
|
|
|
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
|
|
|
|
|
allow init tmpfs:file unlink;
|
|
|
|
|
|
|
|
|
|
# Access pty created for fsck.
|
|
|
|
|
allow init devpts:chr_file { read write open };
|
|
|
|
|
|
|
|
|
|
# Create /dev/fscklogs files.
|
|
|
|
|
allow init fscklogs:file create_file_perms;
|
|
|
|
|
|
|
|
|
|
# Access /dev/__null__ node created prior to initial policy load.
|
|
|
|
|
allow init tmpfs:chr_file write;
|
|
|
|
|
|
|
|
|
|
# Access /dev/console.
|
|
|
|
|
allow init console_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Access /dev/tty0.
|
|
|
|
|
allow init tty_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Call mount(2).
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set sys_admin;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2019-01-17 05:34:51 -08:00
|
|
|
# Call setns(2).
|
|
|
|
|
allow init self:global_capability_class_set sys_chroot;
|
|
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# Create and mount on directories in /.
|
|
|
|
|
allow init rootfs:dir create_dir_perms;
|
2017-04-01 17:17:12 -07:00
|
|
|
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
|
2017-08-01 18:06:18 -07:00
|
|
|
allow init cgroup_bpf:dir { create mounton };
|
|
|
|
|
|
|
|
|
|
# Mount bpf fs on sys/fs/bpf
|
|
|
|
|
allow init fs_bpf:dir mounton;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
|
|
|
|
# Mount on /dev/usb-ffs/adb.
|
|
|
|
|
allow init device:dir mounton;
|
|
|
|
|
|
2018-08-17 00:35:42 -07:00
|
|
|
# Mount tmpfs on /apex
|
|
|
|
|
allow init apex_mnt_dir:dir mounton;
|
|
|
|
|
|
2019-01-24 00:57:12 -08:00
|
|
|
# Mount Bionic libraries and dynamic linkers
|
2019-01-02 06:30:04 -08:00
|
|
|
allow init system_lib_file:file mounton;
|
|
|
|
|
allow init system_linker_exec:file mounton;
|
2019-01-24 00:57:12 -08:00
|
|
|
# The mount points under /bionic are rootfs in recovery mode. Init should
|
|
|
|
|
# be able to bind-mount the bootstrap Bionic to the mount points.
|
|
|
|
|
recovery_only(`
|
|
|
|
|
allow init rootfs:file mounton;
|
|
|
|
|
')
|
2019-01-02 06:30:04 -08:00
|
|
|
|
2014-12-23 17:08:58 -08:00
|
|
|
# Create and remove symlinks in /.
|
|
|
|
|
allow init rootfs:lnk_file { create unlink };
|
2014-10-24 12:56:15 -07:00
|
|
|
|
|
|
|
|
# Mount debugfs on /sys/kernel/debug.
|
|
|
|
|
allow init sysfs:dir mounton;
|
|
|
|
|
|
|
|
|
|
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
|
|
|
|
allow init tmpfs:dir create_dir_perms;
|
|
|
|
|
allow init tmpfs:dir mounton;
|
|
|
|
|
allow init cgroup:dir create_dir_perms;
|
2018-10-10 15:48:15 -07:00
|
|
|
allow init cgroup:file rw_file_perms;
|
2019-01-10 17:10:31 -08:00
|
|
|
allow init cgroup_rc_file:file rw_file_perms;
|
|
|
|
|
allow init cgroup_desc_file:file r_file_perms;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2016-03-01 16:13:50 -08:00
|
|
|
# /config
|
|
|
|
|
allow init configfs:dir mounton;
|
|
|
|
|
allow init configfs:dir create_dir_perms;
|
2017-04-12 16:50:25 -07:00
|
|
|
allow init configfs:{ file lnk_file } create_file_perms;
|
2016-03-01 16:13:50 -08:00
|
|
|
|
2018-04-20 11:14:49 -07:00
|
|
|
# /metadata
|
|
|
|
|
allow init metadata_file:dir mounton;
|
|
|
|
|
|
2015-02-27 14:54:40 -08:00
|
|
|
# Use tmpfs as /data, used for booting when /data is encrypted
|
|
|
|
|
allow init tmpfs:dir relabelfrom;
|
|
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# Create directories under /dev/cpuctl after chowning it to system.
|
2018-09-06 15:19:40 -07:00
|
|
|
allow init self:global_capability_class_set { dac_override dac_read_search };
|
2014-10-24 12:56:15 -07:00
|
|
|
|
|
|
|
|
# Set system clock.
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set sys_time;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set { sys_rawio mknod };
|
2014-02-10 13:31:04 -08:00
|
|
|
|
2014-09-23 06:11:30 -07:00
|
|
|
# Mounting filesystems from block devices.
|
|
|
|
|
allow init dev_type:blk_file r_file_perms;
|
2018-10-18 15:07:40 -07:00
|
|
|
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
2014-05-29 11:35:55 -07:00
|
|
|
|
|
|
|
|
# Mounting filesystems.
|
2014-06-16 10:05:38 -07:00
|
|
|
# Only allow relabelto for types used in context= mount options,
|
|
|
|
|
# which should all be assigned the contextmount_type attribute.
|
|
|
|
|
# This can be done in device-specific policy via type or typeattribute
|
|
|
|
|
# declarations.
|
|
|
|
|
allow init fs_type:filesystem ~relabelto;
|
|
|
|
|
allow init unlabeled:filesystem ~relabelto;
|
|
|
|
|
allow init contextmount_type:filesystem relabelto;
|
|
|
|
|
|
|
|
|
|
# Allow read-only access to context= mounted filesystems.
|
|
|
|
|
allow init contextmount_type:dir r_dir_perms;
|
|
|
|
|
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
2014-05-29 11:35:55 -07:00
|
|
|
|
2016-03-01 16:14:45 -08:00
|
|
|
# restorecon /adb_keys or any other rootfs files and directories to a more
|
|
|
|
|
# specific type.
|
|
|
|
|
allow init rootfs:{ dir file } relabelfrom;
|
2014-06-23 06:17:51 -07:00
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
|
|
|
|
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
2014-05-29 11:35:55 -07:00
|
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
|
|
|
# init.<board>.rc files often include device-specific types, so
|
|
|
|
|
# we just allow all file types except /system files here.
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set { chown fowner fsetid };
|
2016-03-01 10:47:40 -08:00
|
|
|
|
|
|
|
|
allow init {
|
|
|
|
|
file_type
|
|
|
|
|
-app_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-exec_type
|
|
|
|
|
-misc_logd_file
|
2018-02-20 12:41:30 -08:00
|
|
|
-nativetest_data_file
|
2018-08-02 15:54:23 -07:00
|
|
|
-privapp_data_file
|
2016-03-01 10:53:29 -08:00
|
|
|
-system_app_data_file
|
2018-09-27 10:21:37 -07:00
|
|
|
-system_file_type
|
2017-04-01 17:17:12 -07:00
|
|
|
-vendor_file_type
|
2016-03-01 10:47:40 -08:00
|
|
|
}:dir { create search getattr open read setattr ioctl };
|
|
|
|
|
|
|
|
|
|
allow init {
|
|
|
|
|
file_type
|
2016-08-10 11:10:02 -07:00
|
|
|
-app_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-exec_type
|
2018-10-05 14:48:29 -07:00
|
|
|
-iorapd_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-keystore_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-misc_logd_file
|
2018-02-20 12:41:30 -08:00
|
|
|
-nativetest_data_file
|
2018-08-02 15:54:23 -07:00
|
|
|
-privapp_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-shell_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-system_app_data_file
|
2018-09-27 10:21:37 -07:00
|
|
|
-system_file_type
|
2017-04-01 17:17:12 -07:00
|
|
|
-vendor_file_type
|
2016-03-01 10:47:40 -08:00
|
|
|
-vold_data_file
|
|
|
|
|
}:dir { write add_name remove_name rmdir relabelfrom };
|
|
|
|
|
|
|
|
|
|
allow init {
|
|
|
|
|
file_type
|
2016-08-10 11:10:02 -07:00
|
|
|
-app_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-exec_type
|
2018-10-05 14:48:29 -07:00
|
|
|
-iorapd_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-keystore_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-misc_logd_file
|
2018-02-20 12:41:30 -08:00
|
|
|
-nativetest_data_file
|
2018-08-02 15:54:23 -07:00
|
|
|
-privapp_data_file
|
2018-04-16 07:49:49 -07:00
|
|
|
-runtime_event_log_tags_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-shell_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-system_app_data_file
|
2018-09-27 10:21:37 -07:00
|
|
|
-system_file_type
|
2017-04-01 17:17:12 -07:00
|
|
|
-vendor_file_type
|
2016-03-01 10:47:40 -08:00
|
|
|
-vold_data_file
|
2018-08-13 10:31:58 -07:00
|
|
|
}:file { create getattr open read write setattr relabelfrom unlink map };
|
2016-03-01 10:47:40 -08:00
|
|
|
|
|
|
|
|
allow init {
|
|
|
|
|
file_type
|
2016-08-10 11:10:02 -07:00
|
|
|
-app_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-exec_type
|
2018-10-05 14:48:29 -07:00
|
|
|
-iorapd_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-keystore_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-misc_logd_file
|
2018-02-20 12:41:30 -08:00
|
|
|
-nativetest_data_file
|
2018-08-02 15:54:23 -07:00
|
|
|
-privapp_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-shell_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-system_app_data_file
|
2018-09-27 10:21:37 -07:00
|
|
|
-system_file_type
|
2017-04-01 17:17:12 -07:00
|
|
|
-vendor_file_type
|
2016-03-01 10:47:40 -08:00
|
|
|
-vold_data_file
|
|
|
|
|
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
|
|
|
|
|
|
|
|
|
allow init {
|
|
|
|
|
file_type
|
2018-10-16 00:02:49 -07:00
|
|
|
-apex_mnt_dir
|
2016-08-10 11:10:02 -07:00
|
|
|
-app_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-exec_type
|
2018-10-05 14:48:29 -07:00
|
|
|
-iorapd_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-keystore_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-misc_logd_file
|
2018-02-20 12:41:30 -08:00
|
|
|
-nativetest_data_file
|
2018-08-02 15:54:23 -07:00
|
|
|
-privapp_data_file
|
2016-03-01 10:47:40 -08:00
|
|
|
-shell_data_file
|
2016-08-10 11:10:02 -07:00
|
|
|
-system_app_data_file
|
2018-09-27 10:21:37 -07:00
|
|
|
-system_file_type
|
2017-04-01 17:17:12 -07:00
|
|
|
-vendor_file_type
|
2016-03-01 10:47:40 -08:00
|
|
|
-vold_data_file
|
|
|
|
|
}:lnk_file { create getattr setattr relabelfrom unlink };
|
|
|
|
|
|
2017-02-10 12:06:46 -08:00
|
|
|
allow init cache_file:lnk_file r_file_perms;
|
|
|
|
|
|
2018-11-16 00:59:23 -08:00
|
|
|
allow init {
|
|
|
|
|
file_type
|
|
|
|
|
-system_file_type
|
|
|
|
|
-vendor_file_type
|
|
|
|
|
-exec_type
|
|
|
|
|
-app_data_file
|
|
|
|
|
-privapp_data_file
|
|
|
|
|
}:dir_file_class_set relabelto;
|
|
|
|
|
|
2018-01-30 18:14:45 -08:00
|
|
|
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
|
2017-03-05 21:53:39 -08:00
|
|
|
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
|
2014-10-24 12:56:15 -07:00
|
|
|
allow init dev_type:dir create_dir_perms;
|
|
|
|
|
allow init dev_type:lnk_file create;
|
|
|
|
|
|
2015-12-16 12:50:06 -08:00
|
|
|
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
|
2017-06-07 10:37:31 -07:00
|
|
|
allow init debugfs_tracing:file w_file_perms;
|
2015-12-16 12:50:06 -08:00
|
|
|
|
2017-02-22 18:01:00 -08:00
|
|
|
# Setup and control wifi event tracing (see wifi-events.rc)
|
|
|
|
|
allow init debugfs_tracing_instances:dir create_dir_perms;
|
|
|
|
|
allow init debugfs_tracing_instances:file w_file_perms;
|
|
|
|
|
allow init debugfs_wifi_tracing:file w_file_perms;
|
2016-05-17 15:32:04 -07:00
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# chown/chmod on pseudo files.
|
2017-11-03 15:35:41 -07:00
|
|
|
allow init {
|
|
|
|
|
fs_type
|
|
|
|
|
-contextmount_type
|
2018-05-09 07:20:45 -07:00
|
|
|
-keychord_device
|
2018-03-29 13:45:30 -07:00
|
|
|
-proc_type
|
2017-11-03 15:35:41 -07:00
|
|
|
-sdcard_type
|
2017-12-18 14:44:37 -08:00
|
|
|
-sysfs_type
|
2017-11-03 15:35:41 -07:00
|
|
|
-rootfs
|
|
|
|
|
}:file { open read setattr };
|
2015-02-06 13:29:25 -08:00
|
|
|
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2017-04-25 09:27:54 -07:00
|
|
|
allow init {
|
2018-10-18 17:19:43 -07:00
|
|
|
ashmem_device
|
|
|
|
|
binder_device
|
|
|
|
|
console_device
|
|
|
|
|
devpts
|
|
|
|
|
dm_device
|
|
|
|
|
hwbinder_device
|
|
|
|
|
hw_random_device
|
|
|
|
|
input_device
|
|
|
|
|
kmsg_device
|
|
|
|
|
null_device
|
|
|
|
|
owntty_device
|
|
|
|
|
pmsg_device
|
|
|
|
|
ptmx_device
|
|
|
|
|
random_device
|
|
|
|
|
tty_device
|
|
|
|
|
zero_device
|
2017-02-03 13:26:32 -08:00
|
|
|
}:chr_file { read open };
|
2017-01-27 12:39:45 -08:00
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# chown/chmod on devices.
|
2018-05-09 07:20:45 -07:00
|
|
|
allow init {
|
|
|
|
|
dev_type
|
|
|
|
|
-keychord_device
|
|
|
|
|
-port_device
|
|
|
|
|
}:chr_file setattr;
|
2014-05-29 11:35:55 -07:00
|
|
|
|
2014-05-30 06:53:00 -07:00
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
|
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
|
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
|
|
2014-05-29 11:35:55 -07:00
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
|
|
|
# or a read that consumes the messages that were read.
|
2014-05-28 13:48:52 -07:00
|
|
|
allow init kernel:system syslog_mod;
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability2_class_set syslog;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2017-11-03 15:35:41 -07:00
|
|
|
# init access to /proc.
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
|
|
|
r_dir_file(init, proc_net_type)
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2018-06-13 08:02:29 -07:00
|
|
|
userdebug_or_eng(`
|
2018-07-02 08:13:40 -07:00
|
|
|
# Overlayfs workdir write access check during mount to permit remount,rw
|
|
|
|
|
allow init overlayfs_file:dir { relabelfrom mounton write };
|
2018-06-13 08:02:29 -07:00
|
|
|
')
|
|
|
|
|
|
2017-11-03 15:35:41 -07:00
|
|
|
allow init {
|
2019-01-17 05:34:51 -08:00
|
|
|
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_cmdline
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_diskstats
|
|
|
|
|
proc_kmsg # Open /proc/kmsg for logd service.
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_meminfo
|
|
|
|
|
proc_stat # Read /proc/stat for bootchart.
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_uptime
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_version
|
|
|
|
|
}:file r_file_perms;
|
2016-07-29 11:48:19 -07:00
|
|
|
|
2017-11-03 15:35:41 -07:00
|
|
|
allow init {
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_abi
|
|
|
|
|
proc_dirty
|
|
|
|
|
proc_hostname
|
|
|
|
|
proc_hung_task
|
|
|
|
|
proc_extra_free_kbytes
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
|
|
|
proc_net_type
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_max_map_count
|
2018-01-23 17:32:16 -08:00
|
|
|
proc_min_free_order_shift
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_overcommit_memory
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_panic
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_page_cluster
|
2017-11-05 15:35:16 -08:00
|
|
|
proc_perf
|
|
|
|
|
proc_sched
|
2017-11-03 15:35:41 -07:00
|
|
|
proc_sysrq
|
|
|
|
|
}:file w_file_perms;
|
2017-09-14 13:59:09 -07:00
|
|
|
|
2017-11-03 15:35:41 -07:00
|
|
|
allow init {
|
|
|
|
|
proc_security
|
|
|
|
|
}:file rw_file_perms;
|
2017-09-21 13:18:00 -07:00
|
|
|
|
2018-03-29 13:45:30 -07:00
|
|
|
# init chmod/chown access to /proc files.
|
|
|
|
|
allow init {
|
|
|
|
|
proc_cmdline
|
|
|
|
|
proc_kmsg
|
|
|
|
|
proc_net
|
|
|
|
|
proc_qtaguid_stat
|
2018-06-14 07:34:19 -07:00
|
|
|
proc_slabinfo
|
2018-03-29 13:45:30 -07:00
|
|
|
proc_sysrq
|
|
|
|
|
proc_qtaguid_ctrl
|
|
|
|
|
proc_vmallocinfo
|
|
|
|
|
}:file setattr;
|
|
|
|
|
|
2017-12-06 09:00:59 -08:00
|
|
|
# init access to /sys files.
|
|
|
|
|
allow init {
|
|
|
|
|
sysfs_android_usb
|
|
|
|
|
sysfs_leds
|
|
|
|
|
sysfs_power
|
|
|
|
|
}:file w_file_perms;
|
|
|
|
|
|
2017-12-18 14:44:37 -08:00
|
|
|
allow init {
|
|
|
|
|
sysfs_dt_firmware_android
|
2019-01-15 04:38:32 -08:00
|
|
|
sysfs_fs_ext4_features
|
2017-12-18 14:44:37 -08:00
|
|
|
}:file r_file_perms;
|
|
|
|
|
|
2018-01-02 16:12:22 -08:00
|
|
|
allow init {
|
|
|
|
|
sysfs_zram
|
|
|
|
|
}:file rw_file_perms;
|
|
|
|
|
|
2018-11-20 16:13:07 -08:00
|
|
|
# allow init to create loop devices with /dev/loop-control
|
|
|
|
|
allow init loop_control_device:chr_file rw_file_perms;
|
|
|
|
|
allow init loop_device:blk_file rw_file_perms;
|
|
|
|
|
allowxperm init loop_device:blk_file ioctl {
|
|
|
|
|
LOOP_SET_FD
|
|
|
|
|
LOOP_CLR_FD
|
|
|
|
|
LOOP_CTL_GET_FREE
|
|
|
|
|
LOOP_SET_BLOCK_SIZE
|
|
|
|
|
LOOP_SET_DIRECT_IO
|
|
|
|
|
};
|
|
|
|
|
|
2018-02-23 10:20:31 -08:00
|
|
|
# Allow init to write to vibrator/trigger
|
|
|
|
|
allow init sysfs_vibrator:file w_file_perms;
|
|
|
|
|
|
2017-12-06 09:00:59 -08:00
|
|
|
# init chmod/chown access to /sys files.
|
|
|
|
|
allow init {
|
|
|
|
|
sysfs_android_usb
|
|
|
|
|
sysfs_devices_system_cpu
|
|
|
|
|
sysfs_ipv4
|
|
|
|
|
sysfs_leds
|
|
|
|
|
sysfs_lowmemorykiller
|
|
|
|
|
sysfs_power
|
2017-12-18 14:44:37 -08:00
|
|
|
sysfs_vibrator
|
|
|
|
|
sysfs_wake_lock
|
2017-12-06 09:00:59 -08:00
|
|
|
}:file setattr;
|
|
|
|
|
|
2017-11-03 15:35:41 -07:00
|
|
|
# Set usermodehelpers.
|
|
|
|
|
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
|
2017-10-24 13:17:46 -07:00
|
|
|
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set net_admin;
|
2017-11-02 15:52:40 -07:00
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# Reboot.
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set sys_boot;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2016-03-26 07:43:38 -07:00
|
|
|
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
|
|
|
|
|
# Init will also walk through the directory as part of a recursive restorecon.
|
2016-09-13 09:33:35 -07:00
|
|
|
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
|
|
|
|
|
allow init misc_logd_file:file { open create getattr setattr write };
|
2016-03-26 07:43:38 -07:00
|
|
|
|
2014-07-03 22:13:14 -07:00
|
|
|
# Support "adb shell stop"
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set kill;
|
2017-06-13 14:49:17 -07:00
|
|
|
allow init domain:process { getpgid sigkill signal };
|
2014-05-08 23:28:52 -07:00
|
|
|
|
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
|
|
|
# the directory as part of a recursive restorecon.
|
|
|
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
|
|
|
allow init keystore_data_file:file { getattr };
|
2014-05-23 08:26:19 -07:00
|
|
|
|
2015-03-31 15:03:13 -07:00
|
|
|
# Init creates vold's directory on boot, and walks through
|
|
|
|
|
# the directory as part of a recursive restorecon.
|
|
|
|
|
allow init vold_data_file:dir { open create read getattr setattr search };
|
|
|
|
|
allow init vold_data_file:file { getattr };
|
|
|
|
|
|
2014-06-07 10:00:59 -07:00
|
|
|
# Init creates /data/local/tmp at boot
|
|
|
|
|
allow init shell_data_file:dir { open create read getattr setattr search };
|
|
|
|
|
allow init shell_data_file:file { getattr };
|
|
|
|
|
|
2016-10-31 13:29:34 -07:00
|
|
|
# Set UID, GID, and adjust capability bounding set for services.
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set { setuid setgid setpcap };
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2014-12-04 21:40:22 -08:00
|
|
|
# For bootchart to read the /proc/$pid/cmdline file of each process,
|
|
|
|
|
# we need to have following line to allow init to have access
|
|
|
|
|
# to different domains.
|
|
|
|
|
r_dir_file(init, domain)
|
|
|
|
|
|
2014-05-23 08:26:19 -07:00
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
|
|
|
# setexec is for services with seclabel options.
|
|
|
|
|
# setfscreate is for labeling directories and socket files.
|
|
|
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
|
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
2014-05-29 06:22:16 -07:00
|
|
|
|
2017-03-24 15:02:13 -07:00
|
|
|
# Get file context
|
|
|
|
|
allow init file_contexts_file:file r_file_perms;
|
|
|
|
|
|
2017-03-27 11:39:16 -07:00
|
|
|
# sepolicy access
|
|
|
|
|
allow init sepolicy_file:file r_file_perms;
|
|
|
|
|
|
2014-10-24 12:56:15 -07:00
|
|
|
# Perform SELinux access checks on setting properties.
|
|
|
|
|
selinux_check_access(init)
|
|
|
|
|
|
|
|
|
|
# Ask the kernel for the new context on services to label their sockets.
|
|
|
|
|
allow init kernel:security compute_create;
|
|
|
|
|
|
|
|
|
|
# Create sockets for the services.
|
2017-05-08 08:14:28 -07:00
|
|
|
allow init domain:unix_stream_socket { create bind setopt };
|
|
|
|
|
allow init domain:unix_dgram_socket { create bind setopt };
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2014-05-29 06:22:16 -07:00
|
|
|
# Create /data/property and files within it.
|
|
|
|
|
allow init property_data_file:dir create_dir_perms;
|
|
|
|
|
allow init property_data_file:file create_file_perms;
|
2014-06-18 07:09:35 -07:00
|
|
|
|
2014-06-19 07:27:02 -07:00
|
|
|
# Set any property.
|
|
|
|
|
allow init property_type:property_service set;
|
|
|
|
|
|
2017-01-03 08:47:17 -08:00
|
|
|
# Send an SELinux userspace denial to the kernel audit subsystem,
|
|
|
|
|
# so it can be picked up and processed by logd. These denials are
|
|
|
|
|
# generated when an attempt to set a property is denied by policy.
|
|
|
|
|
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set audit_write;
|
2017-01-03 08:47:17 -08:00
|
|
|
|
2014-06-20 21:15:56 -07:00
|
|
|
# Run "ifup lo" to bring up the localhost interface
|
|
|
|
|
allow init self:udp_socket { create ioctl };
|
2016-05-16 21:12:17 -07:00
|
|
|
# in addition to unpriv ioctls granted to all domains, init also needs:
|
|
|
|
|
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
|
2017-11-09 14:51:26 -08:00
|
|
|
allow init self:global_capability_class_set net_raw;
|
2014-06-20 21:15:56 -07:00
|
|
|
|
2014-07-03 22:13:14 -07:00
|
|
|
# This line seems suspect, as it should not really need to
|
|
|
|
|
# set scheduling parameters for a kernel domain task.
|
|
|
|
|
allow init kernel:process setsched;
|
|
|
|
|
|
2014-10-20 11:52:19 -07:00
|
|
|
# swapon() needs write access to swap device
|
|
|
|
|
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
|
|
|
|
|
allow init swap_block_device:blk_file rw_file_perms;
|
|
|
|
|
|
2014-10-21 07:09:33 -07:00
|
|
|
# Read from /dev/hw_random if present.
|
|
|
|
|
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
|
|
|
|
|
allow init hw_random_device:chr_file r_file_perms;
|
|
|
|
|
|
|
|
|
|
# Create and access /dev files without a specific type,
|
2014-10-24 12:56:15 -07:00
|
|
|
# e.g. /dev/.coldboot_done, /dev/.booting
|
2014-10-21 07:09:33 -07:00
|
|
|
# TODO: Move these files into their own type unless they are
|
|
|
|
|
# only ever accessed by init.
|
|
|
|
|
allow init device:file create_file_perms;
|
|
|
|
|
|
2018-05-09 07:20:45 -07:00
|
|
|
# keychord retrieval from /dev/input/ devices
|
2018-05-02 13:57:26 -07:00
|
|
|
allow init input_device:dir r_dir_perms;
|
|
|
|
|
allow init input_device:chr_file rw_file_perms;
|
2014-10-24 12:56:15 -07:00
|
|
|
|
2015-03-04 16:55:29 -08:00
|
|
|
# Access device mapper for setting up dm-verity
|
|
|
|
|
allow init dm_device:chr_file rw_file_perms;
|
|
|
|
|
allow init dm_device:blk_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Access metadata block device for storing dm-verity state
|
|
|
|
|
allow init metadata_block_device:blk_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
|
|
|
|
|
# by dm-verity detecting corrupted blocks
|
|
|
|
|
allow init pstorefs:dir search;
|
|
|
|
|
allow init pstorefs:file r_file_perms;
|
2016-01-27 07:27:23 -08:00
|
|
|
allow init kernel:system syslog_read;
|
2015-03-04 16:55:29 -08:00
|
|
|
|
2015-03-11 15:44:14 -07:00
|
|
|
# linux keyring configuration
|
|
|
|
|
allow init init:key { write search setattr };
|
|
|
|
|
|
2015-04-28 15:06:29 -07:00
|
|
|
# Allow init to create /data/unencrypted
|
2015-03-11 15:44:14 -07:00
|
|
|
allow init unencrypted_data_file:dir create_dir_perms;
|
|
|
|
|
|
2018-10-09 14:22:47 -07:00
|
|
|
# Set encryption policy on dirs in /data
|
|
|
|
|
allowxperm init data_file_type:dir ioctl {
|
|
|
|
|
FS_IOC_GET_ENCRYPTION_POLICY
|
|
|
|
|
FS_IOC_SET_ENCRYPTION_POLICY
|
|
|
|
|
};
|
|
|
|
|
|
2016-07-06 17:24:01 -07:00
|
|
|
# Allow init to write to /proc/sys/vm/overcommit_memory
|
|
|
|
|
allow init proc_overcommit_memory:file { write };
|
|
|
|
|
|
2016-04-06 15:53:09 -07:00
|
|
|
# Raw writes to misc block device
|
|
|
|
|
allow init misc_block_device:blk_file w_file_perms;
|
|
|
|
|
|
2016-09-09 16:27:17 -07:00
|
|
|
r_dir_file(init, system_file)
|
2017-04-01 17:17:12 -07:00
|
|
|
r_dir_file(init, vendor_file_type)
|
2016-09-09 16:27:17 -07:00
|
|
|
|
|
|
|
|
allow init system_data_file:file { getattr read };
|
|
|
|
|
allow init system_data_file:lnk_file r_file_perms;
|
|
|
|
|
|
2017-04-13 13:06:00 -07:00
|
|
|
# For init to be able to run shell scripts from vendor
|
|
|
|
|
allow init vendor_shell_exec:file execute;
|
2016-09-09 16:27:17 -07:00
|
|
|
|
2018-05-17 10:15:53 -07:00
|
|
|
# Metadata setup
|
|
|
|
|
allow init vold_metadata_file:dir create_dir_perms;
|
|
|
|
|
allow init vold_metadata_file:file getattr;
|
|
|
|
|
|
2018-09-03 21:40:13 -07:00
|
|
|
# Allow init to use binder
|
|
|
|
|
binder_use(init);
|
2018-08-17 00:35:42 -07:00
|
|
|
allow init apex_service:service_manager find;
|
|
|
|
|
# Allow servicemanager to pass it
|
|
|
|
|
allow servicemanager init:binder transfer;
|
|
|
|
|
# Allow calls from init to apexd
|
|
|
|
|
allow init apexd:binder call;
|
2018-09-03 21:40:13 -07:00
|
|
|
|
2014-06-18 07:09:35 -07:00
|
|
|
###
|
|
|
|
|
### neverallow rules
|
|
|
|
|
###
|
|
|
|
|
|
2016-12-17 09:18:18 -08:00
|
|
|
# The init domain is only entered via an exec based transition from the
|
|
|
|
|
# kernel domain, never via setcon().
|
2015-04-24 11:38:10 -07:00
|
|
|
neverallow domain init:process dyntransition;
|
2016-12-17 09:18:18 -08:00
|
|
|
neverallow { domain -kernel } init:process transition;
|
2015-04-24 11:38:10 -07:00
|
|
|
neverallow init { file_type fs_type -init_exec }:file entrypoint;
|
2014-09-02 14:05:44 -07:00
|
|
|
|
|
|
|
|
# Never read/follow symlinks created by shell or untrusted apps.
|
|
|
|
|
neverallow init shell_data_file:lnk_file read;
|
2018-08-02 15:54:23 -07:00
|
|
|
neverallow init { app_data_file privapp_data_file }:lnk_file read;
|
2014-09-23 06:11:30 -07:00
|
|
|
|
|
|
|
|
# init should never execute a program without changing to another domain.
|
|
|
|
|
neverallow init { file_type fs_type }:file execute_no_trans;
|
2015-07-14 11:46:30 -07:00
|
|
|
|
2018-08-17 00:35:42 -07:00
|
|
|
# init can only find the APEX service
|
|
|
|
|
neverallow init { service_manager_type -apex_service }:service_manager { find };
|
|
|
|
|
# init can never add binder services
|
|
|
|
|
neverallow init service_manager_type:service_manager { add };
|
|
|
|
|
# init can never list binder services
|
2015-07-14 11:46:30 -07:00
|
|
|
neverallow init servicemanager:service_manager list;
|
2015-08-22 14:47:00 -07:00
|
|
|
|
|
|
|
|
# Init should not be creating subdirectories in /data/local/tmp
|
|
|
|
|
neverallow init shell_data_file:dir { write add_name remove_name };
|
2017-12-06 09:00:59 -08:00
|
|
|
|
|
|
|
|
# Init should not access sysfs node that are not explicitly labeled.
|
|
|
|
|
neverallow init sysfs:file { open read write };
|
2018-09-13 11:07:14 -07:00
|
|
|
|
|
|
|
|
# No domain should be allowed to ptrace init.
|
|
|
|
|
neverallow * init:process ptrace;
|
