1typeattribute recovery coredomain; 2 3# The allow rules are only included in the recovery policy. 4# Otherwise recovery is only allowed the domain rules. 5recovery_only(` 6 # Reboot the device 7 set_prop(recovery, powerctl_prop) 8 9 # Read serial number of the device from system properties 10 get_prop(recovery, serialno_prop) 11 12 # Set sys.usb.ffs.ready when starting minadbd for sideload. 13 get_prop(recovery, ffs_config_prop) 14 set_prop(recovery, ffs_control_prop) 15 16 # Set sys.usb.config when switching into fastboot. 17 set_prop(recovery, usb_control_prop) 18 set_prop(recovery, usb_prop) 19 20 # Read ro.boot.bootreason 21 get_prop(recovery, bootloader_boot_reason_prop) 22 23 # Read storage properties (for correctly formatting filesystems) 24 get_prop(recovery, storage_config_prop) 25 26 set_prop(recovery, gsid_prop) 27 28 # These are needed to allow recovery to manage network 29 allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; 30 allow recovery self:global_capability_class_set net_admin; 31 allow recovery self:tcp_socket { create ioctl }; 32 allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; 33 34 # Start snapuserd for merging VABC updates 35 set_prop(recovery, ctl_snapuserd_prop) 36 37 # Needed to communicate with snapuserd to complete merges. 38 allow recovery snapuserd_socket:sock_file write; 39 allow recovery snapuserd:unix_stream_socket connectto; 40 allow recovery dm_user_device:dir r_dir_perms; 41 42 # Set fastbootd protocol property 43 set_prop(recovery, fastbootd_protocol_prop) 44 45 get_prop(recovery, recovery_config_prop) 46 47 # Needed to read bootconfig parameters through libfs_mgr 48 allow recovery proc_bootconfig:file r_file_perms; 49') 50