1*e4a36f41SAndroid Build Coastguard Workertypeattribute recovery_refresh coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(recovery_refresh) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerallow recovery_refresh pstorefs:dir search; 6*e4a36f41SAndroid Build Coastguard Workerallow recovery_refresh pstorefs:file r_file_perms; 7*e4a36f41SAndroid Build Coastguard Worker# NB: domain inherits write_logd which hands us write to pmsg_device 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker### 10*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 11*e4a36f41SAndroid Build Coastguard Worker### 12*e4a36f41SAndroid Build Coastguard Worker### recovery_refresh should NEVER do any of this 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Block device access. 15*e4a36f41SAndroid Build Coastguard Workerneverallow recovery_refresh dev_type:blk_file { read write }; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# ptrace any other app 18*e4a36f41SAndroid Build Coastguard Workerneverallow recovery_refresh domain:process ptrace; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Write to /system. 21*e4a36f41SAndroid Build Coastguard Workerneverallow recovery_refresh system_file_type:dir_file_class_set write; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Write to files in /data/data or system files on /data 24*e4a36f41SAndroid Build Coastguard Workerneverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# recovery_refresh is not allowed to write anywhere 27*e4a36f41SAndroid Build Coastguard Workerneverallow recovery_refresh { 28*e4a36f41SAndroid Build Coastguard Worker file_type 29*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-coredump_file') 30*e4a36f41SAndroid Build Coastguard Worker with_native_coverage(`-method_trace_data_file') 31*e4a36f41SAndroid Build Coastguard Worker}:file write; 32