xref: /aosp_15_r20/system/sepolicy/prebuilts/api/31.0/private/recovery.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Workertypeattribute recovery coredomain;
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Worker# The allow rules are only included in the recovery policy.
4*e4a36f41SAndroid Build Coastguard Worker# Otherwise recovery is only allowed the domain rules.
5*e4a36f41SAndroid Build Coastguard Workerrecovery_only(`
6*e4a36f41SAndroid Build Coastguard Worker  # Reboot the device
7*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, powerctl_prop)
8*e4a36f41SAndroid Build Coastguard Worker
9*e4a36f41SAndroid Build Coastguard Worker  # Read serial number of the device from system properties
10*e4a36f41SAndroid Build Coastguard Worker  get_prop(recovery, serialno_prop)
11*e4a36f41SAndroid Build Coastguard Worker
12*e4a36f41SAndroid Build Coastguard Worker  # Set sys.usb.ffs.ready when starting minadbd for sideload.
13*e4a36f41SAndroid Build Coastguard Worker  get_prop(recovery, ffs_config_prop)
14*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, ffs_control_prop)
15*e4a36f41SAndroid Build Coastguard Worker
16*e4a36f41SAndroid Build Coastguard Worker  # Set sys.usb.config when switching into fastboot.
17*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, usb_control_prop)
18*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, usb_prop)
19*e4a36f41SAndroid Build Coastguard Worker
20*e4a36f41SAndroid Build Coastguard Worker  # Read ro.boot.bootreason
21*e4a36f41SAndroid Build Coastguard Worker  get_prop(recovery, bootloader_boot_reason_prop)
22*e4a36f41SAndroid Build Coastguard Worker
23*e4a36f41SAndroid Build Coastguard Worker  # Read storage properties (for correctly formatting filesystems)
24*e4a36f41SAndroid Build Coastguard Worker  get_prop(recovery, storage_config_prop)
25*e4a36f41SAndroid Build Coastguard Worker
26*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, gsid_prop)
27*e4a36f41SAndroid Build Coastguard Worker
28*e4a36f41SAndroid Build Coastguard Worker  # These are needed to allow recovery to manage network
29*e4a36f41SAndroid Build Coastguard Worker  allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
30*e4a36f41SAndroid Build Coastguard Worker  allow recovery self:global_capability_class_set net_admin;
31*e4a36f41SAndroid Build Coastguard Worker  allow recovery self:tcp_socket { create ioctl };
32*e4a36f41SAndroid Build Coastguard Worker  allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
33*e4a36f41SAndroid Build Coastguard Worker
34*e4a36f41SAndroid Build Coastguard Worker  # Start snapuserd for merging VABC updates
35*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, ctl_snapuserd_prop)
36*e4a36f41SAndroid Build Coastguard Worker
37*e4a36f41SAndroid Build Coastguard Worker  # Needed to communicate with snapuserd to complete merges.
38*e4a36f41SAndroid Build Coastguard Worker  allow recovery snapuserd_socket:sock_file write;
39*e4a36f41SAndroid Build Coastguard Worker  allow recovery snapuserd:unix_stream_socket connectto;
40*e4a36f41SAndroid Build Coastguard Worker  allow recovery dm_user_device:dir r_dir_perms;
41*e4a36f41SAndroid Build Coastguard Worker
42*e4a36f41SAndroid Build Coastguard Worker  # Set fastbootd protocol property
43*e4a36f41SAndroid Build Coastguard Worker  set_prop(recovery, fastbootd_protocol_prop)
44*e4a36f41SAndroid Build Coastguard Worker
45*e4a36f41SAndroid Build Coastguard Worker  get_prop(recovery, recovery_config_prop)
46*e4a36f41SAndroid Build Coastguard Worker
47*e4a36f41SAndroid Build Coastguard Worker  # Needed to read bootconfig parameters through libfs_mgr
48*e4a36f41SAndroid Build Coastguard Worker  allow recovery proc_bootconfig:file r_file_perms;
49*e4a36f41SAndroid Build Coastguard Worker')
50