sepolicy/policy/chromeos_base/init-scripts/chromeos_startup.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type chromeos_startup, chromeos_domain, domain, cros_init_scripts_domain;

 permissive chromeos_startup;

 domain_auto_trans(cros_init, chromeos_startup_script_exec, chromeos_startup);
 cros_net(chromeos_startup);
 exec_coreutils(chromeos_startup);

 allow chromeos_startup cros_passwd_file:file r_file_perms;

 allow chromeos_startup { sysfs device }:dir mounton;
 arc_cts_fails_release(`
 allow chromeos_startup { tmpfs devpts debugfs configfs }:filesystem mount;
 ', (chromeos_startup));

 allow chromeos_startup sysfs:file { open read };
 allow chromeos_startup sysfs:dir { open read };
 allow chromeos_startup device:blk_file getattr;

 allow chromeos_startup { proc_cmdline proc_swaps proc_uptime }:file r_file_perms;
 allow chromeos_startup { proc_dirty proc_page_cluster proc_panic proc_sched proc_net }:file rw_file_perms;

 # we don't want to allow cros_shm and devpts to associate device, so let's leave
 # it as is and wait for restorecon after mounting devpts or tmpfs, instead of using
 # type_transition.
 # filetrans_pattern_no_target_perm(chromeos_startup, device, devpts, dir, "pts");
 # filetrans_pattern_no_target_perm(chromeos_startup, device, cros_shm, dir, "shm");

 # Misc files
 type chromeos_startup_tmp_file, file_type, cros_file_type, cros_tmpfile_type;
 type chromeos_startup_mount_options_log_file, file_type, cros_file_type, cros_var_file_type;
 type cros_var_log_asan, file_type, cros_file_type, cros_var_file_type;
 filetrans_pattern(chromeos_startup, cros_run, chromeos_startup_tmp_file, file);
 filetrans_pattern(chromeos_startup, cros_var_log, chromeos_startup_mount_options_log_file, file, "mount_options.log");
 filetrans_pattern(chromeos_startup, cros_var_log, cros_var_log_asan, dir, "asan");
 filetrans_pattern(chromeos_startup, cros_run_lock, cros_power_override_lock_file, dir, "power_override");

 allow chromeos_startup self:capability { chown fsetid linux_immutable sys_resource };

 allow domain chromeos_startup:key search;

 type chromeos_startup_restorecon, chromeos_domain, domain;
 permissive chromeos_startup_restorecon;
 execute_file_follow_link(chromeos_startup, cros_restorecon_exec);
 domain_auto_trans(chromeos_startup, cros_restorecon_exec, chromeos_startup_restorecon);
 allow chromeos_startup_restorecon chromeos_startup:fd use;

 filetrans_pattern(chromeos_startup, cros_var_lib, cros_tz_data_file, dir, "timezone");
	type chromeos_startup, chromeos_domain, domain, cros_init_scripts_domain;

	permissive chromeos_startup;

	domain_auto_trans(cros_init, chromeos_startup_script_exec, chromeos_startup);
	cros_net(chromeos_startup);
	exec_coreutils(chromeos_startup);

	allow chromeos_startup cros_passwd_file:file r_file_perms;

	allow chromeos_startup { sysfs device }:dir mounton;
	arc_cts_fails_release(`
	allow chromeos_startup { tmpfs devpts debugfs configfs }:filesystem mount;
	', (chromeos_startup));

	allow chromeos_startup sysfs:file { open read };
	allow chromeos_startup sysfs:dir { open read };
	allow chromeos_startup device:blk_file getattr;

	allow chromeos_startup { proc_cmdline proc_swaps proc_uptime }:file r_file_perms;
	allow chromeos_startup { proc_dirty proc_page_cluster proc_panic proc_sched proc_net }:file rw_file_perms;

	# we don't want to allow cros_shm and devpts to associate device, so let's leave
	# it as is and wait for restorecon after mounting devpts or tmpfs, instead of using
	# type_transition.
	# filetrans_pattern_no_target_perm(chromeos_startup, device, devpts, dir, "pts");
	# filetrans_pattern_no_target_perm(chromeos_startup, device, cros_shm, dir, "shm");

	# Misc files
	type chromeos_startup_tmp_file, file_type, cros_file_type, cros_tmpfile_type;
	type chromeos_startup_mount_options_log_file, file_type, cros_file_type, cros_var_file_type;
	type cros_var_log_asan, file_type, cros_file_type, cros_var_file_type;
	filetrans_pattern(chromeos_startup, cros_run, chromeos_startup_tmp_file, file);
	filetrans_pattern(chromeos_startup, cros_var_log, chromeos_startup_mount_options_log_file, file, "mount_options.log");
	filetrans_pattern(chromeos_startup, cros_var_log, cros_var_log_asan, dir, "asan");
	filetrans_pattern(chromeos_startup, cros_run_lock, cros_power_override_lock_file, dir, "power_override");

	allow chromeos_startup self:capability { chown fsetid linux_immutable sys_resource };

	allow domain chromeos_startup:key search;

	type chromeos_startup_restorecon, chromeos_domain, domain;
	permissive chromeos_startup_restorecon;
	execute_file_follow_link(chromeos_startup, cros_restorecon_exec);
	domain_auto_trans(chromeos_startup, cros_restorecon_exec, chromeos_startup_restorecon);
	allow chromeos_startup_restorecon chromeos_startup:fd use;

	filetrans_pattern(chromeos_startup, cros_var_lib, cros_tz_data_file, dir, "timezone");