Home | History | Annotate | Download | only in public 
      1 # recovery console (used in recovery init.rc for /sbin/recovery)
      2 
      3 # Declare the domain unconditionally so we can always reference it
      4 # in neverallow rules.
      5 type recovery, domain;
      6 
      7 # But the allow rules are only included in the recovery policy.
      8 # Otherwise recovery is only allowed the domain rules.
      9 recovery_only(`
     10   # Allow recovery to perform an update as update_engine would do.
     11   typeattribute recovery update_engine_common;
     12   # Recovery can only use HALs in passthrough mode
     13   passthrough_hal_client_domain(recovery, hal_bootctl)
     14 
     15   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
     16 
     17   # Set security contexts on files that are not known to the loaded policy.
     18   allow recovery self:capability2 mac_admin;
     19 
     20   # Run helpers from / or /system without changing domain.
     21   allow recovery rootfs:file execute_no_trans;
     22   allow recovery system_file:file execute_no_trans;
     23   allow recovery toolbox_exec:file rx_file_perms;
     24 
     25   # Mount filesystems.
     26   allow recovery rootfs:dir mounton;
     27   allow recovery fs_type:filesystem ~relabelto;
     28   allow recovery unlabeled:filesystem ~relabelto;
     29   allow recovery contextmount_type:filesystem relabelto;
     30 
     31   # Create and relabel files and directories under /system.
     32   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     33   allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     34   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
     35 
     36   # We may be asked to set an SELinux label for a type not known to the
     37   # currently loaded policy. Allow it.
     38   allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
     39   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
     40   # Get file contexts
     41   allow recovery file_contexts_file:file r_file_perms;
     42 
     43   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
     44   # support to OTAs. However, that code has a bug. When an update occurs,
     45   # some directories are inappropriately labeled as exec_type. This is
     46   # only transient, and subsequent steps in the OTA script correct this
     47   # mistake. New devices are moving to block based OTAs, so this is not
     48   # worth fixing. b/15575013
     49   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
     50 
     51   # Write to /proc/sys/vm/drop_caches
     52   allow recovery proc_drop_caches:file w_file_perms;
     53 
     54   # Read kernel config through libvintf for OTA matching
     55   allow recovery config_gz:file { open read getattr };
     56 
     57   # Write to /sys/class/android_usb/android0/enable.
     58   # TODO: create more specific label?
     59   allow recovery sysfs:file w_file_perms;
     60 
     61   # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
     62   allow recovery sysfs_devices_system_cpu:file w_file_perms;
     63 
     64   allow recovery sysfs_batteryinfo:file r_file_perms;
     65 
     66   # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
     67   # control backlight brightness.
     68   allow recovery sysfs_leds:dir r_dir_perms;
     69   allow recovery sysfs_leds:file rw_file_perms;
     70   allow recovery sysfs_leds:lnk_file read;
     71 
     72   allow recovery kernel:system syslog_read;
     73 
     74   # Access /dev/usb-ffs/adb/ep0
     75   allow recovery functionfs:dir search;
     76   allow recovery functionfs:file rw_file_perms;
     77 
     78   # Required to e.g. wipe userdata/cache.
     79   allow recovery device:dir r_dir_perms;
     80   allow recovery block_device:dir r_dir_perms;
     81   allow recovery dev_type:blk_file rw_file_perms;
     82 
     83   # GUI
     84   allow recovery graphics_device:chr_file rw_file_perms;
     85   allow recovery graphics_device:dir r_dir_perms;
     86   allow recovery input_device:dir r_dir_perms;
     87   allow recovery input_device:chr_file r_file_perms;
     88   allow recovery tty_device:chr_file rw_file_perms;
     89 
     90   # Create /tmp/recovery.log and execute /tmp/update_binary.
     91   allow recovery tmpfs:file { create_file_perms x_file_perms };
     92   allow recovery tmpfs:dir create_dir_perms;
     93 
     94   # Manage files on /cache and /cache/recovery
     95   allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
     96   allow recovery { cache_file cache_recovery_file }:file create_file_perms;
     97 
     98   # Read /sys/class/thermal/*/temp for thermal info.
     99   r_dir_file(recovery, sysfs_thermal)
    100 
    101   # Read files on /oem.
    102   r_dir_file(recovery, oemfs);
    103 
    104   # Reboot the device
    105   set_prop(recovery, powerctl_prop)
    106 
    107   # Start/stop adbd via ctl.start adbd
    108   set_prop(recovery, ctl_default_prop)
    109 
    110   # Read serial number of the device from system properties
    111   get_prop(recovery, serialno_prop)
    112 
    113   # Use setfscreatecon() to label files for OTA updates.
    114   allow recovery self:process setfscreate;
    115 
    116   # Allow recovery to create a fuse filesystem, and read files from it.
    117   allow recovery fuse_device:chr_file rw_file_perms;
    118   allow recovery fuse:dir r_dir_perms;
    119   allow recovery fuse:file r_file_perms;
    120 
    121   wakelock_use(recovery)
    122 
    123   # This line seems suspect, as it should not really need to
    124   # set scheduling parameters for a kernel domain task.
    125   allow recovery kernel:process setsched;
    126 ')
    127 
    128 ###
    129 ### neverallow rules
    130 ###
    131 
    132 # Recovery should never touch /data.
    133 #
    134 # In particular, if /data is encrypted, it is not accessible
    135 # to recovery anyway.
    136 #
    137 # For now, we only enforce write/execute restrictions, as domain.te
    138 # contains a number of read-only rules that apply to all
    139 # domains, including recovery.
    140 #
    141 # TODO: tighten this up further.
    142 neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
    143 neverallow recovery data_file_type:dir no_w_dir_perms;
    144