| type cros_init, chromeos_domain, domain, mlstrustedsubject; |
| type cros_init_scripts, chromeos_domain, domain, cros_log_file_creator_domain, mlstrustedsubject; # init after exec sh. |
| |
| permissive cros_init; |
| permissive cros_init_scripts; |
| |
| type chromeos_init_exec, exec_type, file_type; |
| |
| allow kernel cros_init:process share; |
| allow cros_init kernel:fd use; |
| allow cros_init unlabeled:dir search; |
| |
| #allow cros_init device:chr_file r_file_perms; |
| allow cros_init console_device:chr_file rw_file_perms; |
| allow cros_init device:dir search; |
| |
| allow cros_init self:capability { sys_boot sys_resource }; |
| |
| allow cros_init rootfs:dir create_dir_perms; |
| |
| allow cros_init self:key { write search setattr }; |
| |
| allow domain cros_init:key search; |
| |
| # Allow reaping by init. |
| allow domain cros_init:process sigchld; |
| allow domain cros_init:fd use; |
| |
| # Transition from kernel to cros_init by executing chromeos's init. |
| domain_auto_trans(kernel, chromeos_init_exec, cros_init) |
| |
| r_dir_file(cros_init, sysfs); |
| r_dir_file(cros_init, cros_system_file); |
| r_dir_file(cros_init, cros_init_conf_file); |
| |
| execute_file_follow_link(cros_init, sh_exec); |
| execute_file_follow_link(cros_init, cros_ionice_exec); |
| domain_auto_trans(cros_init, sh_exec, cros_init_scripts); |
| domain_auto_trans(cros_init, cros_init_shell_scripts, cros_init_scripts); |
| |
| dev_only( |
| auditallow cros_init cros_init_shell_scripts:file execute; |
| ) |
| |
| allow cros_init cros_chrt_exec:file rx_file_perms; |
| |
| # init/metrics_library.conf |
| filetrans_pattern(cros_init_scripts, cros_var_lib, cros_metrics_file, dir, "metrics"); |
| filetrans_pattern(cros_init_scripts, cros_metrics_file, cros_metrics_uma_events_file, file, "uma-events"); |
| |
| # init/dbus.conf |
| filetrans_pattern(cros_init_scripts, cros_var_lib, cros_var_lib_dbus, dir, "dbus"); |
| filetrans_pattern(cros_init_scripts, cros_run, cros_run_dbus, dir, "dbus"); |
| |
| # init/cras.conf |
| filetrans_pattern(cros_init_scripts, cros_run, cras_socket, dir, "cras"); |
| |
| # init/powerd.conf |
| filetrans_pattern(cros_init_scripts, cros_var_log, cros_powerd_log, file, "powerd.out"); |
| |
| # init/anomaly_collector.conf |
| filetrans_pattern_no_target_perm(cros_init_scripts, cros_var_lib, cros_var_lib_whitelist, dir, "whitelist"); |
| |
| # init/chaps.conf |
| filetrans_pattern_no_target_perm(cros_init_scripts, cros_var_lib, cros_var_lib_chaps, dir, "chaps"); |