Home | History | Annotate | Download | only in sepolicy 
      1 # recovery console (used in recovery init.rc for /sbin/recovery)
      2 
      3 # Declare the domain unconditionally so we can always reference it
      4 # in neverallow rules.
      5 type recovery, domain, domain_deprecated;
      6 
      7 # But the allow rules are only included in the recovery policy.
      8 # Otherwise recovery is only allowed the domain rules.
      9 recovery_only(`
     10   # Allow recovery to perform an update as update_engine would do.
     11   typeattribute recovery update_engine_common, boot_control_hal;
     12 
     13   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
     14 
     15   # Set security contexts on files that are not known to the loaded policy.
     16   allow recovery self:capability2 mac_admin;
     17 
     18   # Run helpers from / or /system without changing domain.
     19   allow recovery rootfs:file execute_no_trans;
     20   allow recovery system_file:file execute_no_trans;
     21   allow recovery toolbox_exec:file rx_file_perms;
     22 
     23   # Mount filesystems.
     24   allow recovery rootfs:dir mounton;
     25   allow recovery fs_type:filesystem ~relabelto;
     26   allow recovery unlabeled:filesystem ~relabelto;
     27   allow recovery contextmount_type:filesystem relabelto;
     28 
     29   # Create and relabel files and directories under /system.
     30   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     31   allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     32   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
     33 
     34   # We may be asked to set an SELinux label for a type not known to the
     35   # currently loaded policy. Allow it.
     36   allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     37   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
     38 
     39   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
     40   # support to OTAs. However, that code has a bug. When an update occurs,
     41   # some directories are inappropriately labeled as exec_type. This is
     42   # only transient, and subsequent steps in the OTA script correct this
     43   # mistake. New devices are moving to block based OTAs, so this is not
     44   # worth fixing. b/15575013
     45   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
     46 
     47   # Write to /proc/sys/vm/drop_caches
     48   allow recovery proc_drop_caches:file w_file_perms;
     49 
     50   # Write to /sys/class/android_usb/android0/enable.
     51   # TODO: create more specific label?
     52   allow recovery sysfs:file w_file_perms;
     53 
     54   allow recovery sysfs_batteryinfo:file r_file_perms;
     55 
     56   allow recovery kernel:system syslog_read;
     57 
     58   # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
     59   allow recovery adb_device:chr_file rw_file_perms;
     60   allow recovery functionfs:dir search;
     61   allow recovery functionfs:file rw_file_perms;
     62 
     63   # Required to e.g. wipe userdata/cache.
     64   allow recovery device:dir r_dir_perms;
     65   allow recovery block_device:dir r_dir_perms;
     66   allow recovery dev_type:blk_file rw_file_perms;
     67 
     68   # GUI
     69   allow recovery self:process execmem;
     70   allow recovery ashmem_device:chr_file execute;
     71   allow recovery graphics_device:chr_file rw_file_perms;
     72   allow recovery graphics_device:dir r_dir_perms;
     73   allow recovery input_device:dir r_dir_perms;
     74   allow recovery input_device:chr_file r_file_perms;
     75   allow recovery tty_device:chr_file rw_file_perms;
     76 
     77   # Create /tmp/recovery.log and execute /tmp/update_binary.
     78   allow recovery tmpfs:file { create_file_perms x_file_perms };
     79   allow recovery tmpfs:dir create_dir_perms;
     80 
     81   # Manage files on /cache and /cache/recovery
     82   allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
     83   allow recovery { cache_file cache_recovery_file }:file create_file_perms;
     84 
     85   # Read files on /oem.
     86   r_dir_file(recovery, oemfs);
     87 
     88   # Reboot the device
     89   set_prop(recovery, powerctl_prop)
     90 
     91   # Start/stop adbd via ctl.start adbd
     92   set_prop(recovery, ctl_default_prop)
     93 
     94   # Use setfscreatecon() to label files for OTA updates.
     95   allow recovery self:process setfscreate;
     96 
     97   # Allow recovery to create a fuse filesystem, and read files from it.
     98   allow recovery fuse_device:chr_file rw_file_perms;
     99   allow recovery fuse:dir r_dir_perms;
    100   allow recovery fuse:file r_file_perms;
    101 
    102   wakelock_use(recovery)
    103 
    104   # This line seems suspect, as it should not really need to
    105   # set scheduling parameters for a kernel domain task.
    106   allow recovery kernel:process setsched;
    107 ')
    108 
    109 ###
    110 ### neverallow rules
    111 ###
    112 
    113 # Recovery should never touch /data.
    114 #
    115 # In particular, if /data is encrypted, it is not accessible
    116 # to recovery anyway.
    117 #
    118 # For now, we only enforce write/execute restrictions, as domain.te
    119 # contains a number of read-only rules that apply to all
    120 # domains, including recovery.
    121 #
    122 # TODO: tighten this up further.
    123 neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
    124 neverallow recovery data_file_type:dir no_w_dir_perms;
    125