• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# recovery console (used in recovery init.rc for /sbin/recovery)
2
3# Declare the domain unconditionally so we can always reference it
4# in neverallow rules.
5type recovery, domain;
6
7# But the allow rules are only included in the recovery policy.
8# Otherwise recovery is only allowed the domain rules.
9recovery_only(`
10  # Allow recovery to perform an update as update_engine would do.
11  typeattribute recovery update_engine_common;
12  # Recovery can only use HALs in passthrough mode
13  passthrough_hal_client_domain(recovery, hal_bootctl)
14
15  allow recovery self:global_capability_class_set {
16    chown
17    dac_override
18    dac_read_search
19    fowner
20    setuid
21    setgid
22    sys_admin
23    sys_tty_config
24  };
25
26  # Run helpers from / or /system without changing domain.
27  r_dir_file(recovery, rootfs)
28  allow recovery rootfs:file execute_no_trans;
29  allow recovery system_file:file execute_no_trans;
30  allow recovery toolbox_exec:file rx_file_perms;
31
32  # Mount filesystems.
33  allow recovery rootfs:dir mounton;
34  allow recovery tmpfs:dir mounton;
35  allow recovery fs_type:filesystem ~relabelto;
36  allow recovery unlabeled:filesystem ~relabelto;
37  allow recovery contextmount_type:filesystem relabelto;
38
39  # We may be asked to set an SELinux label for a type not known to the
40  # currently loaded policy. Allow it.
41  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
42  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
43
44  # Get file contexts
45  allow recovery file_contexts_file:file r_file_perms;
46
47  # Write to /proc/sys/vm/drop_caches
48  allow recovery proc_drop_caches:file w_file_perms;
49
50  # Read /proc/swaps
51  allow recovery proc_swaps:file r_file_perms;
52
53  # Read kernel config through libvintf for OTA matching
54  allow recovery config_gz:file { open read getattr };
55
56  # Write to /sys/class/android_usb/android0/enable.
57  r_dir_file(recovery, sysfs_android_usb)
58  allow recovery sysfs_android_usb:file w_file_perms;
59
60  # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
61  allow recovery sysfs_devices_system_cpu:file w_file_perms;
62
63  allow recovery sysfs_batteryinfo:file r_file_perms;
64
65  # Read /sysfs/fs/ext4/features
66  r_dir_file(recovery, sysfs_fs_ext4_features)
67
68  # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
69  # control backlight brightness.
70  allow recovery sysfs_leds:dir r_dir_perms;
71  allow recovery sysfs_leds:file rw_file_perms;
72  allow recovery sysfs_leds:lnk_file read;
73
74  allow recovery kernel:system syslog_read;
75
76  # Access /dev/usb-ffs/adb/ep0
77  allow recovery functionfs:dir search;
78  allow recovery functionfs:file rw_file_perms;
79  allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
80
81  # Access to /sys/fs/selinux/policyvers for compatibility check
82  allow recovery selinuxfs:file r_file_perms;
83
84  # Required to e.g. wipe userdata/cache.
85  allow recovery device:dir r_dir_perms;
86  allow recovery block_device:dir r_dir_perms;
87  allow recovery dev_type:blk_file rw_file_perms;
88  allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
89
90  # GUI
91  allow recovery graphics_device:chr_file rw_file_perms;
92  allow recovery graphics_device:dir r_dir_perms;
93  allow recovery input_device:dir r_dir_perms;
94  allow recovery input_device:chr_file r_file_perms;
95  allow recovery tty_device:chr_file rw_file_perms;
96
97  # Create /tmp/recovery.log and execute /tmp/update_binary.
98  allow recovery tmpfs:file { create_file_perms x_file_perms };
99  allow recovery tmpfs:dir create_dir_perms;
100
101  # Manage files on /cache and /cache/recovery
102  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
103  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
104
105  # Read /sys/class/thermal/*/temp for thermal info.
106  r_dir_file(recovery, sysfs_thermal)
107
108  # Read files on /oem.
109  r_dir_file(recovery, oemfs);
110
111  # Reboot the device
112  set_prop(recovery, powerctl_prop)
113
114  # Read serial number of the device from system properties
115  get_prop(recovery, serialno_prop)
116
117  # Set sys.usb.ffs.ready when starting minadbd for sideload.
118  set_prop(recovery, ffs_prop)
119  set_prop(recovery, exported_ffs_prop)
120
121  # Set sys.usb.config when switching into fastboot.
122  set_prop(recovery, system_radio_prop)
123  set_prop(recovery, exported_system_radio_prop)
124
125  # Read ro.boot.bootreason
126  get_prop(recovery, bootloader_boot_reason_prop)
127
128  # Use setfscreatecon() to label files for OTA updates.
129  allow recovery self:process setfscreate;
130
131  # Allow recovery to create a fuse filesystem, and read files from it.
132  allow recovery fuse_device:chr_file rw_file_perms;
133  allow recovery fuse:dir r_dir_perms;
134  allow recovery fuse:file r_file_perms;
135
136  wakelock_use(recovery)
137
138  # This line seems suspect, as it should not really need to
139  # set scheduling parameters for a kernel domain task.
140  allow recovery kernel:process setsched;
141')
142
143###
144### neverallow rules
145###
146
147# Recovery should never touch /data.
148#
149# In particular, if /data is encrypted, it is not accessible
150# to recovery anyway.
151#
152# For now, we only enforce write/execute restrictions, as domain.te
153# contains a number of read-only rules that apply to all
154# domains, including recovery.
155#
156# TODO: tighten this up further.
157neverallow recovery {
158   data_file_type
159   -cache_file
160   -cache_recovery_file
161  with_native_coverage(`-method_trace_data_file')
162}:file { no_w_file_perms no_x_file_perms };
163neverallow recovery {
164   data_file_type
165   -cache_file
166   -cache_recovery_file
167  with_native_coverage(`-method_trace_data_file')
168}:dir no_w_dir_perms;
169