1# recovery console (used in recovery init.rc for /sbin/recovery) 2 3# Declare the domain unconditionally so we can always reference it 4# in neverallow rules. 5type recovery, domain; 6 7# But the allow rules are only included in the recovery policy. 8# Otherwise recovery is only allowed the domain rules. 9recovery_only(` 10 # Allow recovery to perform an update as update_engine would do. 11 typeattribute recovery update_engine_common; 12 # Recovery can only use HALs in passthrough mode 13 passthrough_hal_client_domain(recovery, hal_bootctl) 14 15 allow recovery self:global_capability_class_set { 16 chown 17 dac_override 18 dac_read_search 19 fowner 20 setuid 21 setgid 22 sys_admin 23 sys_tty_config 24 }; 25 26 # Run helpers from / or /system without changing domain. 27 r_dir_file(recovery, rootfs) 28 allow recovery rootfs:file execute_no_trans; 29 allow recovery system_file:file execute_no_trans; 30 allow recovery toolbox_exec:file rx_file_perms; 31 32 # Mount filesystems. 33 allow recovery rootfs:dir mounton; 34 allow recovery tmpfs:dir mounton; 35 allow recovery fs_type:filesystem ~relabelto; 36 allow recovery unlabeled:filesystem ~relabelto; 37 allow recovery contextmount_type:filesystem relabelto; 38 39 # We may be asked to set an SELinux label for a type not known to the 40 # currently loaded policy. Allow it. 41 allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 42 allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; 43 44 # Get file contexts 45 allow recovery file_contexts_file:file r_file_perms; 46 47 # Write to /proc/sys/vm/drop_caches 48 allow recovery proc_drop_caches:file w_file_perms; 49 50 # Read /proc/swaps 51 allow recovery proc_swaps:file r_file_perms; 52 53 # Read kernel config through libvintf for OTA matching 54 allow recovery config_gz:file { open read getattr }; 55 56 # Write to /sys/class/android_usb/android0/enable. 57 r_dir_file(recovery, sysfs_android_usb) 58 allow recovery sysfs_android_usb:file w_file_perms; 59 60 # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. 61 allow recovery sysfs_devices_system_cpu:file w_file_perms; 62 63 allow recovery sysfs_batteryinfo:file r_file_perms; 64 65 # Read /sysfs/fs/ext4/features 66 r_dir_file(recovery, sysfs_fs_ext4_features) 67 68 # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to 69 # control backlight brightness. 70 allow recovery sysfs_leds:dir r_dir_perms; 71 allow recovery sysfs_leds:file rw_file_perms; 72 allow recovery sysfs_leds:lnk_file read; 73 74 allow recovery kernel:system syslog_read; 75 76 # Access /dev/usb-ffs/adb/ep0 77 allow recovery functionfs:dir search; 78 allow recovery functionfs:file rw_file_perms; 79 allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC; 80 81 # Access to /sys/fs/selinux/policyvers for compatibility check 82 allow recovery selinuxfs:file r_file_perms; 83 84 # Required to e.g. wipe userdata/cache. 85 allow recovery device:dir r_dir_perms; 86 allow recovery block_device:dir r_dir_perms; 87 allow recovery dev_type:blk_file rw_file_perms; 88 allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET; 89 90 # GUI 91 allow recovery graphics_device:chr_file rw_file_perms; 92 allow recovery graphics_device:dir r_dir_perms; 93 allow recovery input_device:dir r_dir_perms; 94 allow recovery input_device:chr_file r_file_perms; 95 allow recovery tty_device:chr_file rw_file_perms; 96 97 # Create /tmp/recovery.log and execute /tmp/update_binary. 98 allow recovery tmpfs:file { create_file_perms x_file_perms }; 99 allow recovery tmpfs:dir create_dir_perms; 100 101 # Manage files on /cache and /cache/recovery 102 allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; 103 allow recovery { cache_file cache_recovery_file }:file create_file_perms; 104 105 # Read /sys/class/thermal/*/temp for thermal info. 106 r_dir_file(recovery, sysfs_thermal) 107 108 # Read files on /oem. 109 r_dir_file(recovery, oemfs); 110 111 # Reboot the device 112 set_prop(recovery, powerctl_prop) 113 114 # Read serial number of the device from system properties 115 get_prop(recovery, serialno_prop) 116 117 # Set sys.usb.ffs.ready when starting minadbd for sideload. 118 set_prop(recovery, ffs_prop) 119 set_prop(recovery, exported_ffs_prop) 120 121 # Set sys.usb.config when switching into fastboot. 122 set_prop(recovery, system_radio_prop) 123 set_prop(recovery, exported_system_radio_prop) 124 125 # Read ro.boot.bootreason 126 get_prop(recovery, bootloader_boot_reason_prop) 127 128 # Use setfscreatecon() to label files for OTA updates. 129 allow recovery self:process setfscreate; 130 131 # Allow recovery to create a fuse filesystem, and read files from it. 132 allow recovery fuse_device:chr_file rw_file_perms; 133 allow recovery fuse:dir r_dir_perms; 134 allow recovery fuse:file r_file_perms; 135 136 wakelock_use(recovery) 137 138 # This line seems suspect, as it should not really need to 139 # set scheduling parameters for a kernel domain task. 140 allow recovery kernel:process setsched; 141') 142 143### 144### neverallow rules 145### 146 147# Recovery should never touch /data. 148# 149# In particular, if /data is encrypted, it is not accessible 150# to recovery anyway. 151# 152# For now, we only enforce write/execute restrictions, as domain.te 153# contains a number of read-only rules that apply to all 154# domains, including recovery. 155# 156# TODO: tighten this up further. 157neverallow recovery { 158 data_file_type 159 -cache_file 160 -cache_recovery_file 161 with_native_coverage(`-method_trace_data_file') 162}:file { no_w_file_perms no_x_file_perms }; 163neverallow recovery { 164 data_file_type 165 -cache_file 166 -cache_recovery_file 167 with_native_coverage(`-method_trace_data_file') 168}:dir no_w_dir_perms; 169