1typeattribute fastbootd coredomain; 2 3# The allow rules are only included in the recovery policy. 4# Otherwise fastbootd is only allowed the domain rules. 5recovery_only(` 6 # Reboot the device 7 set_prop(fastbootd, powerctl_prop) 8 9 # Read serial number of the device from system properties 10 get_prop(fastbootd, serialno_prop) 11 12 # Set sys.usb.ffs.ready. 13 get_prop(fastbootd, ffs_config_prop) 14 set_prop(fastbootd, ffs_control_prop) 15 16 userdebug_or_eng(` 17 get_prop(fastbootd, persistent_properties_ready_prop) 18 ') 19 20 set_prop(fastbootd, gsid_prop) 21 22 # Determine allocation scheme (whether B partitions needs to be 23 # at the second half of super. 24 get_prop(fastbootd, virtual_ab_prop) 25 get_prop(fastbootd, snapuserd_prop) 26 27 # Needed for TCP protocol 28 allow fastbootd node:tcp_socket node_bind; 29 allow fastbootd port:tcp_socket name_bind; 30 allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; 31 32 # Start snapuserd for merging VABC updates 33 set_prop(fastbootd, ctl_snapuserd_prop) 34 35 # Needed to communicate with snapuserd to complete merges. 36 allow fastbootd snapuserd_socket:sock_file write; 37 allow fastbootd snapuserd:unix_stream_socket connectto; 38 allow fastbootd dm_user_device:dir r_dir_perms; 39 40 # Get fastbootd protocol property 41 get_prop(fastbootd, fastbootd_protocol_prop) 42 43 # Mount /metadata to interact with Virtual A/B snapshots. 44 allow fastbootd labeledfs:filesystem { mount unmount }; 45 set_prop(fastbootd, boottime_prop) 46 47 # Needed for reading boot properties. 48 allow fastbootd proc_bootconfig:file r_file_perms; 49 # Let this domain use the hal fastboot service 50 binder_use(fastbootd) 51 hal_client_domain(fastbootd, hal_fastboot) 52') 53 54# This capability allows fastbootd to circumvent memlock rlimits while using 55# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service. 56allow fastbootd self:capability ipc_lock; 57io_uring_use(fastbootd) 58