add vendor_init.te

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

private/compat/26.0/26.0.ignore.cil

@@ -34,6 +34,7 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket
+    vendor_init
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service

private/init.te

@@ -14,6 +14,7 @@ recovery_only(`
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
+domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`

private/vendor_init.te

+typeattribute vendor_init coredomain;
+

public/domain.te

@@ -321,7 +321,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
 neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
 
 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;
@@ -464,6 +464,7 @@ neverallow {
   -recovery
   -shell
   -system_server
+  -vendor_init
 } serialno_prop:file r_file_perms;
 
 # Do not allow reading the last boot timestamp from system properties
@@ -658,6 +659,7 @@ full_treble_only(`
     -init
     -ueventd
     -socket_between_core_and_vendor_violators
+    -vendor_init
   } {
     file_type
     dev_type
@@ -680,6 +682,7 @@ full_treble_only(`
         -installd
         -postinstall_dexopt
         -system_server
+        -vendor_init
     } vendor_app_file:dir { open read getattr search };
 
     neverallow {
@@ -691,6 +694,7 @@ full_treble_only(`
         -installd
         -postinstall_dexopt
         -system_server
+        -vendor_init
     } vendor_app_file:{ file lnk_file } r_file_perms;
 
     # Limit access to /vendor/overlay
@@ -702,6 +706,7 @@ full_treble_only(`
         -installd
         -system_server
         -zygote
+        -vendor_init
     } vendor_overlay_file:dir { getattr open read search };
 
     neverallow {
@@ -712,6 +717,7 @@ full_treble_only(`
         -installd
         -system_server
         -zygote
+        -vendor_init
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
 
     # Non-vendor domains are not allowed to file execute shell
@@ -719,6 +725,7 @@ full_treble_only(`
     neverallow {
         coredomain
         -init
+        -vendor_init
     } vendor_shell_exec:file { execute execute_no_trans };
 
     # Do not allow vendor components to execute files from system
@@ -729,6 +736,7 @@ full_treble_only(`
         -appdomain
         -rild
         -vendor_executes_system_violators
+        -vendor_init
     } {
         exec_type
         -vendor_file_type
@@ -855,6 +863,7 @@ neverallow {
   -system_server
   -system_app
   -init
+  -vendor_init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
   with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
@@ -990,7 +999,7 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
 # TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.

public/vendor_init.te

+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:capability dac_override;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:capability { chown fowner fsetid };
+
+allow vendor_init {
+  file_type
+  -app_data_file
+  -bluetooth_data_file
+  -dalvikcache_data_file
+  -exec_type
+  -incident_data_file
+  -keystore_data_file
+  -misc_logd_file
+  -nfc_data_file
+  -property_data_file
+  -radio_data_file
+  -shell_data_file
+  -system_app_data_file
+  -system_file
+  -system_ndebug_socket
+  -unlabeled
+  -vendor_file_type
+  -vold_data_file
+  -zoneinfo_data_file
+}:dir { create search getattr open read setattr ioctl };
+
+allow vendor_init {
+  file_type
+  -app_data_file
+  -bluetooth_data_file
+  -dalvikcache_data_file
+  -exec_type
+  -incident_data_file
+  -keystore_data_file
+  -misc_logd_file
+  -nfc_data_file
+  -property_data_file
+  -radio_data_file
+  -shell_data_file
+  -system_app_data_file
+  -system_file
+  -system_ndebug_socket
+  -unlabeled
+  -vendor_file_type
+  -vold_data_file
+  -zoneinfo_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+  file_type
+  -app_data_file
+  -bluetooth_data_file
+  -dalvikcache_data_file
+  -runtime_event_log_tags_file
+  -exec_type
+  -incident_data_file
+  -keystore_data_file
+  -misc_logd_file
+  -nfc_data_file
+  -property_data_file
+  -radio_data_file
+  -shell_data_file
+  -system_app_data_file
+  -system_file
+  -system_ndebug_socket
+  -unlabeled
+  -vendor_file_type
+  -vold_data_file
+  -zoneinfo_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow vendor_init {
+  file_type
+  -app_data_file
+  -bluetooth_data_file
+  -dalvikcache_data_file
+  -exec_type
+  -incident_data_file
+  -keystore_data_file
+  -misc_logd_file
+  -nfc_data_file
+  -property_data_file
+  -radio_data_file
+  -shell_data_file
+  -system_app_data_file
+  -system_file
+  -system_ndebug_socket
+  -unlabeled
+  -vendor_file_type
+  -vold_data_file
+  -zoneinfo_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+  file_type
+  -app_data_file
+  -bluetooth_data_file
+  -dalvikcache_data_file
+  -exec_type
+  -incident_data_file
+  -keystore_data_file
+  -misc_logd_file
+  -nfc_data_file
+  -property_data_file
+  -radio_data_file
+  -shell_data_file
+  -system_app_data_file
+  -system_file
+  -system_ndebug_socket
+  -unlabeled
+  -vendor_file_type
+  -vold_data_file
+  -zoneinfo_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+  file_type
+  -system_file
+  -vendor_file_type
+  -exec_type
+  -vold_data_file
+  -keystore_data_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+  fs_type
+  -contextmount_type
+  -sdcard_type
+  -rootfs
+  -proc_uid_time_in_state
+}:file { open read setattr };
+
+allow vendor_init {
+  fs_type
+  -contextmount_type
+  -sdcard_type
+  -rootfs
+  -proc_uid_time_in_state
+}:dir  { open read setattr search };
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+  dev_type
+  -kmem_device
+  -port_device
+  -lowpan_device
+  -hw_random_device
+}:chr_file setattr;
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net)
+allow vendor_init proc_net:file w_file_perms;
+allow vendor_init self:capability net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:capability sys_admin;