1typeattribute recovery coredomain; 2 3# The allow rules are only included in the recovery policy. 4# Otherwise recovery is only allowed the domain rules. 5recovery_only(` 6 # Reboot the device 7 set_prop(recovery, powerctl_prop) 8 9 # Read serial number of the device from system properties 10 get_prop(recovery, serialno_prop) 11 12 # Set sys.usb.ffs.ready when starting minadbd for sideload. 13 get_prop(recovery, ffs_config_prop) 14 set_prop(recovery, ffs_control_prop) 15 16 # Set sys.usb.config when switching into fastboot. 17 set_prop(recovery, usb_control_prop) 18 set_prop(recovery, usb_prop) 19 20 # Read ro.boot.bootreason 21 get_prop(recovery, bootloader_boot_reason_prop) 22 23 # Read storage properties (for correctly formatting filesystems) 24 get_prop(recovery, storage_config_prop) 25 26 set_prop(recovery, gsid_prop) 27 28 # These are needed to allow recovery to manage network 29 allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; 30 allow recovery self:global_capability_class_set net_admin; 31 allow recovery self:tcp_socket { create ioctl }; 32 allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; 33 34 # Start snapuserd for merging VABC updates 35 set_prop(recovery, ctl_snapuserd_prop) 36 37 # Needed to communicate with snapuserd to complete merges. 38 allow recovery snapuserd_socket:sock_file write; 39 allow recovery snapuserd:unix_stream_socket connectto; 40 allow recovery dm_user_device:dir r_dir_perms; 41 get_prop(recovery, snapuserd_prop) 42 43 # Set fastbootd protocol property 44 set_prop(recovery, fastbootd_protocol_prop) 45 46 get_prop(recovery, recovery_config_prop) 47 48 # Needed to read bootconfig parameters through libfs_mgr 49 allow recovery proc_bootconfig:file r_file_perms; 50 51 # Allow recovery to perform an update as update_engine would do. 52 typeattribute recovery update_engine_common; 53 # Recovery can use HIDL HALs in passthrough mode 54 passthrough_hal_client_domain(recovery, hal_bootctl) 55 56 # Recovery can use AIDL HALs in binder mode 57 binder_use(recovery) 58 hal_client_domain(recovery, hal_health) 59 60 allow recovery self:global_capability_class_set { 61 chown 62 dac_override 63 dac_read_search 64 fowner 65 setuid 66 setgid 67 sys_admin 68 sys_tty_config 69 }; 70 71 # Run helpers from / or /system without changing domain. 72 r_dir_file(recovery, rootfs) 73 allow recovery rootfs:file execute_no_trans; 74 allow recovery system_file:file execute_no_trans; 75 allow recovery toolbox_exec:file rx_file_perms; 76 77 # Mount filesystems. 78 allow recovery rootfs:dir mounton; 79 allow recovery tmpfs:dir mounton; 80 allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto; 81 allow recovery unlabeled:filesystem ~relabelto; 82 allow recovery contextmount_type:filesystem relabelto; 83 84 # We may be asked to set an SELinux label for a type not known to the 85 # currently loaded policy. Allow it. 86 allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 87 allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; 88 89 # Get file contexts 90 allow recovery file_contexts_file:file r_file_perms; 91 92 # Write to /proc/sys/vm/drop_caches 93 allow recovery proc_drop_caches:file w_file_perms; 94 95 # Read /proc/swaps 96 allow recovery proc_swaps:file r_file_perms; 97 98 # Read kernel config through libvintf for OTA matching 99 allow recovery config_gz:file { open read getattr }; 100 101 # Write to /sys/class/android_usb/android0/enable. 102 r_dir_file(recovery, sysfs_android_usb) 103 allow recovery sysfs_android_usb:file w_file_perms; 104 105 # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. 106 allow recovery sysfs_devices_system_cpu:file w_file_perms; 107 108 allow recovery sysfs_batteryinfo:file r_file_perms; 109 110 # Read /sysfs/fs/ext4/features 111 r_dir_file(recovery, sysfs_fs_ext4_features) 112 113 # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to 114 # control backlight brightness. 115 allow recovery sysfs_leds:dir r_dir_perms; 116 allow recovery sysfs_leds:file rw_file_perms; 117 allow recovery sysfs_leds:lnk_file read; 118 119 allow recovery kernel:system syslog_read; 120 121 # Access /dev/usb-ffs/adb/ep0 122 allow recovery functionfs:dir search; 123 allow recovery functionfs:file rw_file_perms; 124 allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC; 125 126 # Access to /sys/fs/selinux/policyvers for compatibility check 127 allow recovery selinuxfs:file r_file_perms; 128 129 # Required to e.g. wipe userdata/cache. 130 allow recovery device:dir r_dir_perms; 131 allow recovery block_device:dir r_dir_perms; 132 allow recovery dev_type:blk_file rw_file_perms; 133 allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET; 134 135 # GUI 136 allow recovery graphics_device:chr_file rw_file_perms; 137 allow recovery graphics_device:dir r_dir_perms; 138 allow recovery input_device:dir r_dir_perms; 139 allow recovery input_device:chr_file r_file_perms; 140 allow recovery tty_device:chr_file rw_file_perms; 141 142 # Create /tmp/recovery.log and execute /tmp/update_binary. 143 allow recovery tmpfs:file { create_file_perms x_file_perms }; 144 allow recovery tmpfs:dir create_dir_perms; 145 146 # Manage files on /cache and /cache/recovery 147 allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; 148 allow recovery { cache_file cache_recovery_file }:file create_file_perms; 149 150 # Read /sys/class/thermal/*/temp for thermal info. 151 r_dir_file(recovery, sysfs_thermal) 152 153 # Read files on /oem. 154 r_dir_file(recovery, oemfs); 155 156 # Use setfscreatecon() to label files for OTA updates. 157 allow recovery self:process setfscreate; 158 159 # Allow recovery to create a fuse filesystem, and read files from it. 160 allow recovery fuse_device:chr_file rw_file_perms; 161 allow recovery fuse:dir r_dir_perms; 162 allow recovery fuse:file r_file_perms; 163 164 wakelock_use(recovery) 165 166 # This line seems suspect, as it should not really need to 167 # set scheduling parameters for a kernel domain task. 168 allow recovery kernel:process setsched; 169 170 # These are needed to update dynamic partitions in recovery. 171 r_dir_file(recovery, sysfs_dm) 172 allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; 173 174 # Allow using libfiemap/gsid directly (no binder in recovery). 175 allow recovery gsi_metadata_file_type:dir search; 176 allow recovery ota_metadata_file:dir rw_dir_perms; 177 allow recovery ota_metadata_file:file create_file_perms; 178 179 # Allow mounting /metadata for writing update states 180 allow recovery metadata_file:dir { getattr mounton }; 181 182 # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts. 183 allow recovery devpts:chr_file rw_file_perms; 184 allow recovery kmsg_device:chr_file { getattr w_file_perms }; 185') 186 187### 188### neverallow rules 189### 190 191# Recovery should never touch /data. 192# 193# In particular, if /data is encrypted, it is not accessible 194# to recovery anyway. 195# 196# For now, we only enforce write/execute restrictions, as domain.te 197# contains a number of read-only rules that apply to all 198# domains, including recovery. 199# 200# TODO: tighten this up further. 201neverallow recovery { 202 data_file_type 203 -cache_file 204 -cache_recovery_file 205 with_native_coverage(`-method_trace_data_file') 206}:file { no_w_file_perms no_x_file_perms }; 207neverallow recovery { 208 data_file_type 209 -cache_file 210 -cache_recovery_file 211 with_native_coverage(`-method_trace_data_file') 212}:dir no_w_dir_perms; 213