1typeattribute recovery_persist coredomain; 2 3init_daemon_domain(recovery_persist) 4 5allow recovery_persist pstorefs:dir search; 6allow recovery_persist pstorefs:file r_file_perms; 7 8allow recovery_persist recovery_data_file:file create_file_perms; 9allow recovery_persist recovery_data_file:dir create_dir_perms; 10 11allow recovery_persist cache_file:dir search; 12allow recovery_persist cache_file:lnk_file read; 13allow recovery_persist cache_recovery_file:dir rw_dir_perms; 14allow recovery_persist cache_recovery_file:file { r_file_perms unlink }; 15 16### 17### Neverallow rules 18### 19### recovery_persist should NEVER do any of this 20 21# Block device access. 22neverallow recovery_persist dev_type:blk_file { read write }; 23 24# ptrace any other app 25neverallow recovery_persist domain:process ptrace; 26 27# Write to /system. 28neverallow recovery_persist system_file_type:dir_file_class_set write; 29 30# Write to files in /data/data 31neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write; 32 33# recovery_persist is not allowed to write anywhere other than recovery_data_file 34neverallow recovery_persist { 35 file_type 36 -recovery_data_file 37 userdebug_or_eng(`-coredump_file') 38 with_native_coverage(`-method_trace_data_file') 39}:file write; 40