• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1typeattribute fastbootd coredomain;
2
3# The allow rules are only included in the recovery policy.
4# Otherwise fastbootd is only allowed the domain rules.
5recovery_only(`
6  # Reboot the device
7  set_prop(fastbootd, powerctl_prop)
8
9  # Read serial number of the device from system properties
10  get_prop(fastbootd, serialno_prop)
11
12  # Set sys.usb.ffs.ready.
13  get_prop(fastbootd, ffs_config_prop)
14  set_prop(fastbootd, ffs_control_prop)
15
16  userdebug_or_eng(`
17    get_prop(fastbootd, persistent_properties_ready_prop)
18  ')
19
20  set_prop(fastbootd, gsid_prop)
21
22  # Determine allocation scheme (whether B partitions needs to be
23  # at the second half of super.
24  get_prop(fastbootd, virtual_ab_prop)
25  get_prop(fastbootd, snapuserd_prop)
26
27  # Needed for TCP protocol
28  allow fastbootd node:tcp_socket node_bind;
29  allow fastbootd port:tcp_socket name_bind;
30  allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
31
32  # Start snapuserd for merging VABC updates
33  set_prop(fastbootd, ctl_snapuserd_prop)
34
35  # Needed to communicate with snapuserd to complete merges.
36  allow fastbootd snapuserd_socket:sock_file write;
37  allow fastbootd snapuserd:unix_stream_socket connectto;
38  allow fastbootd dm_user_device:dir r_dir_perms;
39
40  # Get fastbootd protocol property
41  get_prop(fastbootd, fastbootd_protocol_prop)
42
43  # Mount /metadata to interact with Virtual A/B snapshots.
44  allow fastbootd labeledfs:filesystem { mount unmount };
45  set_prop(fastbootd, boottime_prop)
46
47  # Needed for reading boot properties.
48  allow fastbootd proc_bootconfig:file r_file_perms;
49  # Let this domain use the hal fastboot service
50  binder_use(fastbootd)
51  hal_client_domain(fastbootd, hal_fastboot)
52
53  # fastbootd can only use HALs in passthrough mode
54  passthrough_hal_client_domain(fastbootd, hal_bootctl)
55
56  # fastbootd can use AIDL HALs in binder mode
57  binder_use(fastbootd)
58  hal_client_domain(fastbootd, hal_health)
59  hal_client_domain(fastbootd, hal_fastboot)
60
61  # Access /dev/usb-ffs/fastbootd/ep0
62  allow fastbootd functionfs:dir search;
63  allow fastbootd functionfs:file rw_file_perms;
64
65  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
66  # Log to serial
67  allow fastbootd kmsg_device:chr_file { open getattr write };
68
69  # battery info
70  allow fastbootd sysfs_batteryinfo:file r_file_perms;
71
72  allow fastbootd device:dir r_dir_perms;
73
74  # For dev/block/by-name dir
75  allow fastbootd block_device:dir r_dir_perms;
76
77  # Needed for DM_DEV_CREATE ioctl call
78  allow fastbootd self:capability sys_admin;
79
80  unix_socket_connect(fastbootd, recovery, recovery)
81
82  # Required for flashing
83  allow fastbootd dm_device:chr_file rw_file_perms;
84  allow fastbootd dm_device:blk_file rw_file_perms;
85
86  allow fastbootd cache_block_device:blk_file rw_file_perms;
87  allow fastbootd super_block_device_type:blk_file rw_file_perms;
88  allow fastbootd {
89    boot_block_device
90    metadata_block_device
91    system_block_device
92    userdata_block_device
93  }:blk_file { w_file_perms getattr ioctl };
94
95  # For disabling/wiping GSI, and for modifying/deleting files created via
96  # libfiemap.
97  allow fastbootd metadata_block_device:blk_file r_file_perms;
98  allow fastbootd {rootfs tmpfs}:dir mounton;
99  allow fastbootd metadata_file:dir { search getattr mounton };
100  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
101  allow fastbootd gsi_metadata_file_type:file create_file_perms;
102
103  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
104
105  allowxperm fastbootd {
106    metadata_block_device
107    userdata_block_device
108    dm_device
109    cache_block_device
110  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
111
112  allow fastbootd misc_block_device:blk_file rw_file_perms;
113
114  allow fastbootd proc_cmdline:file r_file_perms;
115  allow fastbootd rootfs:dir r_dir_perms;
116
117  # Needed to read fstab node from device tree.
118  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
119  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
120
121  # Needed because libdm reads sysfs to validate when a dm path is ready.
122  r_dir_file(fastbootd, sysfs_dm)
123
124  # Needed for realpath() call to resolve symlinks.
125  allow fastbootd block_device:dir getattr;
126  userdebug_or_eng(`
127    # Refined manipulation of /mnt/scratch, without these perms resorts
128    # to deleting scratch partition when partition(s) are flashed.
129    allow fastbootd self:process setfscreate;
130    allow fastbootd cache_file:dir search;
131    allow fastbootd proc_filesystems:file { getattr open read };
132    allow fastbootd self:capability sys_rawio;
133    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
134    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
135    allow fastbootd {
136      system_file_type
137      unlabeled
138      vendor_file_type
139    }:dir { remove_name rmdir search write };
140    allow fastbootd {
141      overlayfs_file
142      system_file_type
143      unlabeled
144      vendor_file_type
145    }:{ file lnk_file } unlink;
146    allow fastbootd tmpfs:dir rw_dir_perms;
147    # Fetch vendor_boot partition
148    allow fastbootd boot_block_device:blk_file r_file_perms;
149
150    # popen(/system/bin/dmesg) and associated permissions. We only allow this
151    # on unlocked devices running userdebug builds.
152    allow fastbootd rootfs:file execute_no_trans;
153    allow fastbootd system_file:file execute_no_trans;
154    allow fastbootd kmsg_device:chr_file read;
155    allow fastbootd kernel:system syslog_read;
156  ')
157
158  # Allow using libfiemap/gsid directly (no binder in recovery).
159  allow fastbootd gsi_metadata_file_type:dir search;
160  allow fastbootd ota_metadata_file:dir rw_dir_perms;
161  allow fastbootd ota_metadata_file:file create_file_perms;
162
163  # Fastbootd uses liblogwrap to write mke2fs logs to kmsg, liblogwrap requires devpts.
164  allow fastbootd devpts:chr_file rw_file_perms;
165')
166
167# This capability allows fastbootd to circumvent memlock rlimits while using
168# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
169allow fastbootd self:capability ipc_lock;
170io_uring_use(fastbootd)
171
172###
173### neverallow rules
174###
175
176# Write permission is required to wipe userdata
177# until recovery supports vold.
178neverallow fastbootd {
179   data_file_type
180}:file { no_x_file_perms };
181