xref: /aosp_15_r20/system/sepolicy/prebuilts/api/31.0/public/fastbootd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker# fastbootd (used in recovery init.rc for /sbin/fastbootd)
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Worker# Declare the domain unconditionally so we can always reference it
4*e4a36f41SAndroid Build Coastguard Worker# in neverallow rules.
5*e4a36f41SAndroid Build Coastguard Workertype fastbootd, domain;
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Worker# But the allow rules are only included in the recovery policy.
8*e4a36f41SAndroid Build Coastguard Worker# Otherwise fastbootd is only allowed the domain rules.
9*e4a36f41SAndroid Build Coastguard Workerrecovery_only(`
10*e4a36f41SAndroid Build Coastguard Worker  # fastbootd can only use HALs in passthrough mode
11*e4a36f41SAndroid Build Coastguard Worker  passthrough_hal_client_domain(fastbootd, hal_bootctl)
12*e4a36f41SAndroid Build Coastguard Worker
13*e4a36f41SAndroid Build Coastguard Worker  # Access /dev/usb-ffs/fastbootd/ep0
14*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd functionfs:dir search;
15*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd functionfs:file rw_file_perms;
16*e4a36f41SAndroid Build Coastguard Worker
17*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
18*e4a36f41SAndroid Build Coastguard Worker  # Log to serial
19*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd kmsg_device:chr_file { open getattr write };
20*e4a36f41SAndroid Build Coastguard Worker
21*e4a36f41SAndroid Build Coastguard Worker  # battery info
22*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_batteryinfo:file r_file_perms;
23*e4a36f41SAndroid Build Coastguard Worker
24*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd device:dir r_dir_perms;
25*e4a36f41SAndroid Build Coastguard Worker
26*e4a36f41SAndroid Build Coastguard Worker  # For dev/block/by-name dir
27*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd block_device:dir r_dir_perms;
28*e4a36f41SAndroid Build Coastguard Worker
29*e4a36f41SAndroid Build Coastguard Worker  # Needed for DM_DEV_CREATE ioctl call
30*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd self:capability sys_admin;
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Worker  unix_socket_connect(fastbootd, recovery, recovery)
33*e4a36f41SAndroid Build Coastguard Worker
34*e4a36f41SAndroid Build Coastguard Worker  # Required for flashing
35*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd dm_device:chr_file rw_file_perms;
36*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd dm_device:blk_file rw_file_perms;
37*e4a36f41SAndroid Build Coastguard Worker
38*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd cache_block_device:blk_file rw_file_perms;
39*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd super_block_device_type:blk_file rw_file_perms;
40*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd {
41*e4a36f41SAndroid Build Coastguard Worker    boot_block_device
42*e4a36f41SAndroid Build Coastguard Worker    metadata_block_device
43*e4a36f41SAndroid Build Coastguard Worker    system_block_device
44*e4a36f41SAndroid Build Coastguard Worker    userdata_block_device
45*e4a36f41SAndroid Build Coastguard Worker  }:blk_file { w_file_perms getattr ioctl };
46*e4a36f41SAndroid Build Coastguard Worker
47*e4a36f41SAndroid Build Coastguard Worker  # For disabling/wiping GSI, and for modifying/deleting files created via
48*e4a36f41SAndroid Build Coastguard Worker  # libfiemap.
49*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd metadata_block_device:blk_file r_file_perms;
50*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd {rootfs tmpfs}:dir mounton;
51*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd metadata_file:dir { search getattr mounton };
52*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
53*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:file create_file_perms;
54*e4a36f41SAndroid Build Coastguard Worker
55*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
56*e4a36f41SAndroid Build Coastguard Worker
57*e4a36f41SAndroid Build Coastguard Worker  allowxperm fastbootd {
58*e4a36f41SAndroid Build Coastguard Worker    metadata_block_device
59*e4a36f41SAndroid Build Coastguard Worker    userdata_block_device
60*e4a36f41SAndroid Build Coastguard Worker    dm_device
61*e4a36f41SAndroid Build Coastguard Worker    cache_block_device
62*e4a36f41SAndroid Build Coastguard Worker  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
63*e4a36f41SAndroid Build Coastguard Worker
64*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd misc_block_device:blk_file rw_file_perms;
65*e4a36f41SAndroid Build Coastguard Worker
66*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd proc_cmdline:file r_file_perms;
67*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd rootfs:dir r_dir_perms;
68*e4a36f41SAndroid Build Coastguard Worker
69*e4a36f41SAndroid Build Coastguard Worker  # Needed to read fstab node from device tree.
70*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
71*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
72*e4a36f41SAndroid Build Coastguard Worker
73*e4a36f41SAndroid Build Coastguard Worker  # Needed because libdm reads sysfs to validate when a dm path is ready.
74*e4a36f41SAndroid Build Coastguard Worker  r_dir_file(fastbootd, sysfs_dm)
75*e4a36f41SAndroid Build Coastguard Worker
76*e4a36f41SAndroid Build Coastguard Worker  # Needed for realpath() call to resolve symlinks.
77*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd block_device:dir getattr;
78*e4a36f41SAndroid Build Coastguard Worker  userdebug_or_eng(`
79*e4a36f41SAndroid Build Coastguard Worker    # Refined manipulation of /mnt/scratch, without these perms resorts
80*e4a36f41SAndroid Build Coastguard Worker    # to deleting scratch partition when partition(s) are flashed.
81*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd self:process setfscreate;
82*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd cache_file:dir search;
83*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd proc_filesystems:file { getattr open read };
84*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd self:capability sys_rawio;
85*e4a36f41SAndroid Build Coastguard Worker    dontaudit fastbootd kernel:system module_request;
86*e4a36f41SAndroid Build Coastguard Worker    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
87*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
88*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd {
89*e4a36f41SAndroid Build Coastguard Worker      system_file_type
90*e4a36f41SAndroid Build Coastguard Worker      unlabeled
91*e4a36f41SAndroid Build Coastguard Worker      vendor_file_type
92*e4a36f41SAndroid Build Coastguard Worker    }:dir { remove_name rmdir search write };
93*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd {
94*e4a36f41SAndroid Build Coastguard Worker      overlayfs_file
95*e4a36f41SAndroid Build Coastguard Worker      system_file_type
96*e4a36f41SAndroid Build Coastguard Worker      unlabeled
97*e4a36f41SAndroid Build Coastguard Worker      vendor_file_type
98*e4a36f41SAndroid Build Coastguard Worker    }:{ file lnk_file } unlink;
99*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd tmpfs:dir rw_dir_perms;
100*e4a36f41SAndroid Build Coastguard Worker    # Fetch vendor_boot partition
101*e4a36f41SAndroid Build Coastguard Worker    allow fastbootd boot_block_device:blk_file r_file_perms;
102*e4a36f41SAndroid Build Coastguard Worker  ')
103*e4a36f41SAndroid Build Coastguard Worker
104*e4a36f41SAndroid Build Coastguard Worker  # Allow using libfiemap/gsid directly (no binder in recovery).
105*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd gsi_metadata_file_type:dir search;
106*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd ota_metadata_file:dir rw_dir_perms;
107*e4a36f41SAndroid Build Coastguard Worker  allow fastbootd ota_metadata_file:file create_file_perms;
108*e4a36f41SAndroid Build Coastguard Worker')
109*e4a36f41SAndroid Build Coastguard Worker
110*e4a36f41SAndroid Build Coastguard Worker###
111*e4a36f41SAndroid Build Coastguard Worker### neverallow rules
112*e4a36f41SAndroid Build Coastguard Worker###
113*e4a36f41SAndroid Build Coastguard Worker
114*e4a36f41SAndroid Build Coastguard Worker# Write permission is required to wipe userdata
115*e4a36f41SAndroid Build Coastguard Worker# until recovery supports vold.
116*e4a36f41SAndroid Build Coastguard Workerneverallow fastbootd {
117*e4a36f41SAndroid Build Coastguard Worker   data_file_type
118*e4a36f41SAndroid Build Coastguard Worker}:file { no_x_file_perms };
119