xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/public/fastbootd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker# fastbootd (used in recovery init.rc for /sbin/fastbootd)
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Worker# Declare the domain unconditionally so we can always reference it
4*e4a36f41SAndroid Build Coastguard Worker# in neverallow rules.
5*e4a36f41SAndroid Build Coastguard Workertype fastbootd, domain;
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Worker# But the allow rules are only included in the recovery policy.
8*e4a36f41SAndroid Build Coastguard Worker# Otherwise fastbootd is only allowed the domain rules.
9*e4a36f41SAndroid Build Coastguard Workerrecovery_only(`
10*e4a36f41SAndroid Build Coastguard Worker  # fastbootd can only use HALs in passthrough mode
11*e4a36f41SAndroid Build Coastguard Worker  passthrough_hal_client_domain(fastbootd, hal_bootctl)
12*e4a36f41SAndroid Build Coastguard Worker
13*e4a36f41SAndroid Build Coastguard Worker  # fastbootd can use AIDL HALs in binder mode
14*e4a36f41SAndroid Build Coastguard Worker  binder_use(fastbootd)
15*e4a36f41SAndroid Build Coastguard Worker  hal_client_domain(fastbootd, hal_health)
16*e4a36f41SAndroid Build Coastguard Worker  hal_client_domain(fastbootd, hal_fastboot)
17*e4a36f41SAndroid Build Coastguard Worker
18*e4a36f41SAndroid Build Coastguard Worker  # Access /dev/usb-ffs/fastbootd/ep0
19*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd functionfs:dir search;
20*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd functionfs:file rw_file_perms;
21*e4a36f41SAndroid Build Coastguard Worker
22*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
23*e4a36f41SAndroid Build Coastguard Worker  # Log to serial
24*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd kmsg_device:chr_file { open getattr write };
25*e4a36f41SAndroid Build Coastguard Worker
26*e4a36f41SAndroid Build Coastguard Worker  # battery info
27*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_batteryinfo:file r_file_perms;
28*e4a36f41SAndroid Build Coastguard Worker
29*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd device:dir r_dir_perms;
30*e4a36f41SAndroid Build Coastguard Worker
31*e4a36f41SAndroid Build Coastguard Worker  # For dev/block/by-name dir
32*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd block_device:dir r_dir_perms;
33*e4a36f41SAndroid Build Coastguard Worker
34*e4a36f41SAndroid Build Coastguard Worker  # Needed for DM_DEV_CREATE ioctl call
35*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd self:capability sys_admin;
36*e4a36f41SAndroid Build Coastguard Worker
37*e4a36f41SAndroid Build Coastguard Worker  unix_socket_connect(fastbootd, recovery, recovery)
38*e4a36f41SAndroid Build Coastguard Worker
39*e4a36f41SAndroid Build Coastguard Worker  # Required for flashing
40*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd dm_device:chr_file rw_file_perms;
41*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd dm_device:blk_file rw_file_perms;
42*e4a36f41SAndroid Build Coastguard Worker
43*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd cache_block_device:blk_file rw_file_perms;
44*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd super_block_device_type:blk_file rw_file_perms;
45*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd {
46*e4a36f41SAndroid Build Coastguard Worker    boot_block_device
47*e4a36f41SAndroid Build Coastguard Worker    metadata_block_device
48*e4a36f41SAndroid Build Coastguard Worker    system_block_device
49*e4a36f41SAndroid Build Coastguard Worker    userdata_block_device
50*e4a36f41SAndroid Build Coastguard Worker  }:blk_file { w_file_perms getattr ioctl };
51*e4a36f41SAndroid Build Coastguard Worker
52*e4a36f41SAndroid Build Coastguard Worker  # For disabling/wiping GSI, and for modifying/deleting files created via
53*e4a36f41SAndroid Build Coastguard Worker  # libfiemap.
54*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd metadata_block_device:blk_file r_file_perms;
55*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd {rootfs tmpfs}:dir mounton;
56*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd metadata_file:dir { search getattr mounton };
57*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
58*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:file create_file_perms;
59*e4a36f41SAndroid Build Coastguard Worker
60*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
61*e4a36f41SAndroid Build Coastguard Worker
62*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd {
63*e4a36f41SAndroid Build Coastguard Worker    metadata_block_device
64*e4a36f41SAndroid Build Coastguard Worker    userdata_block_device
65*e4a36f41SAndroid Build Coastguard Worker    dm_device
66*e4a36f41SAndroid Build Coastguard Worker    cache_block_device
67*e4a36f41SAndroid Build Coastguard Worker  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
68*e4a36f41SAndroid Build Coastguard Worker
69*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd misc_block_device:blk_file rw_file_perms;
70*e4a36f41SAndroid Build Coastguard Worker
71*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd proc_cmdline:file r_file_perms;
72*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd rootfs:dir r_dir_perms;
73*e4a36f41SAndroid Build Coastguard Worker
74*e4a36f41SAndroid Build Coastguard Worker  # Needed to read fstab node from device tree.
75*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
76*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
77*e4a36f41SAndroid Build Coastguard Worker
78*e4a36f41SAndroid Build Coastguard Worker  # Needed because libdm reads sysfs to validate when a dm path is ready.
79*e4a36f41SAndroid Build Coastguard Worker  r_dir_file(fastbootd, sysfs_dm)
80*e4a36f41SAndroid Build Coastguard Worker
81*e4a36f41SAndroid Build Coastguard Worker  # Needed for realpath() call to resolve symlinks.
82*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd block_device:dir getattr;
83*e4a36f41SAndroid Build Coastguard Worker  userdebug_or_eng(`
84*e4a36f41SAndroid Build Coastguard Worker    # Refined manipulation of /mnt/scratch, without these perms resorts
85*e4a36f41SAndroid Build Coastguard Worker    # to deleting scratch partition when partition(s) are flashed.
86*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd self:process setfscreate;
87*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd cache_file:dir search;
88*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd proc_filesystems:file { getattr open read };
89*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd self:capability sys_rawio;
90*e4a36f41SAndroid Build Coastguard Worker    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
91*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
92*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd {
93*e4a36f41SAndroid Build Coastguard Worker      system_file_type
94*e4a36f41SAndroid Build Coastguard Worker      unlabeled
95*e4a36f41SAndroid Build Coastguard Worker      vendor_file_type
96*e4a36f41SAndroid Build Coastguard Worker    }:dir { remove_name rmdir search write };
97*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd {
98*e4a36f41SAndroid Build Coastguard Worker      overlayfs_file
99*e4a36f41SAndroid Build Coastguard Worker      system_file_type
100*e4a36f41SAndroid Build Coastguard Worker      unlabeled
101*e4a36f41SAndroid Build Coastguard Worker      vendor_file_type
102*e4a36f41SAndroid Build Coastguard Worker    }:{ file lnk_file } unlink;
103*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd tmpfs:dir rw_dir_perms;
104*e4a36f41SAndroid Build Coastguard Worker    # Fetch vendor_boot partition
105*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd boot_block_device:blk_file r_file_perms;
106*e4a36f41SAndroid Build Coastguard Worker
107*e4a36f41SAndroid Build Coastguard Worker    # popen(/system/bin/dmesg) and associated permissions. We only allow this
108*e4a36f41SAndroid Build Coastguard Worker    # on unlocked devices running userdebug builds.
109*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd rootfs:file execute_no_trans;
110*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd system_file:file execute_no_trans;
111*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd kmsg_device:chr_file read;
112*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd kernel:system syslog_read;
113*e4a36f41SAndroid Build Coastguard Worker  ')
114*e4a36f41SAndroid Build Coastguard Worker
115*e4a36f41SAndroid Build Coastguard Worker  # Allow using libfiemap/gsid directly (no binder in recovery).
116*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:dir search;
117*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd ota_metadata_file:dir rw_dir_perms;
118*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd ota_metadata_file:file create_file_perms;
119*e4a36f41SAndroid Build Coastguard Worker')
120*e4a36f41SAndroid Build Coastguard Worker
121*e4a36f41SAndroid Build Coastguard Worker###
122*e4a36f41SAndroid Build Coastguard Worker### neverallow rules
123*e4a36f41SAndroid Build Coastguard Worker###
124*e4a36f41SAndroid Build Coastguard Worker
125*e4a36f41SAndroid Build Coastguard Worker# Write permission is required to wipe userdata
126*e4a36f41SAndroid Build Coastguard Worker# until recovery supports vold.
127*e4a36f41SAndroid Build Coastguard Workerneverallow fastbootd {
128*e4a36f41SAndroid Build Coastguard Worker   data_file_type
129*e4a36f41SAndroid Build Coastguard Worker}:file { no_x_file_perms };
130