1 # recovery console (used in recovery init.rc for /sbin/recovery) 2 3 # Declare the domain unconditionally so we can always reference it 4 # in neverallow rules. 5 type recovery, domain; 6 7 # But the allow rules are only included in the recovery policy. 8 # Otherwise recovery is only allowed the domain rules. 9 recovery_only(` 10 # Allow recovery to perform an update as update_engine would do. 11 typeattribute recovery update_engine_common; 12 # Recovery can only use HALs in passthrough mode 13 passthrough_hal_client_domain(recovery, hal_bootctl) 14 15 allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; 16 17 # Set security contexts on files that are not known to the loaded policy. 18 allow recovery self:capability2 mac_admin; 19 20 # Run helpers from / or /system without changing domain. 21 r_dir_file(recovery, rootfs) 22 allow recovery rootfs:file execute_no_trans; 23 allow recovery system_file:file execute_no_trans; 24 allow recovery toolbox_exec:file rx_file_perms; 25 26 # Mount filesystems. 27 allow recovery rootfs:dir mounton; 28 allow recovery fs_type:filesystem ~relabelto; 29 allow recovery unlabeled:filesystem ~relabelto; 30 allow recovery contextmount_type:filesystem relabelto; 31 32 # Create and relabel files and directories under /system. 33 allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 34 allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 35 allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; 36 37 # We may be asked to set an SELinux label for a type not known to the 38 # currently loaded policy. Allow it. 39 allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 40 allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; 41 # Get file contexts 42 allow recovery file_contexts_file:file r_file_perms; 43 44 # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux 45 # support to OTAs. However, that code has a bug. When an update occurs, 46 # some directories are inappropriately labeled as exec_type. This is 47 # only transient, and subsequent steps in the OTA script correct this 48 # mistake. New devices are moving to block based OTAs, so this is not 49 # worth fixing. b/15575013 50 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; 51 52 # Write to /proc/sys/vm/drop_caches 53 allow recovery proc_drop_caches:file w_file_perms; 54 55 # Read kernel config through libvintf for OTA matching 56 allow recovery config_gz:file { open read getattr }; 57 58 # Write to /sys/class/android_usb/android0/enable. 59 # TODO: create more specific label? 60 r_dir_file(recovery, sysfs) 61 allow recovery sysfs:file w_file_perms; 62 63 # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. 64 allow recovery sysfs_devices_system_cpu:file w_file_perms; 65 66 allow recovery sysfs_batteryinfo:file r_file_perms; 67 68 # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to 69 # control backlight brightness. 70 allow recovery sysfs_leds:dir r_dir_perms; 71 allow recovery sysfs_leds:file rw_file_perms; 72 allow recovery sysfs_leds:lnk_file read; 73 74 allow recovery kernel:system syslog_read; 75 76 # Access /dev/usb-ffs/adb/ep0 77 allow recovery functionfs:dir search; 78 allow recovery functionfs:file rw_file_perms; 79 80 # Access to /sys/fs/selinux/policyvers for compatibility check 81 allow recovery selinuxfs:file r_file_perms; 82 83 # Required to e.g. wipe userdata/cache. 84 allow recovery device:dir r_dir_perms; 85 allow recovery block_device:dir r_dir_perms; 86 allow recovery dev_type:blk_file rw_file_perms; 87 88 # GUI 89 allow recovery graphics_device:chr_file rw_file_perms; 90 allow recovery graphics_device:dir r_dir_perms; 91 allow recovery input_device:dir r_dir_perms; 92 allow recovery input_device:chr_file r_file_perms; 93 allow recovery tty_device:chr_file rw_file_perms; 94 95 # Create /tmp/recovery.log and execute /tmp/update_binary. 96 allow recovery tmpfs:file { create_file_perms x_file_perms }; 97 allow recovery tmpfs:dir create_dir_perms; 98 99 # Manage files on /cache and /cache/recovery 100 allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; 101 allow recovery { cache_file cache_recovery_file }:file create_file_perms; 102 103 # Read /sys/class/thermal/*/temp for thermal info. 104 r_dir_file(recovery, sysfs_thermal) 105 106 # Read files on /oem. 107 r_dir_file(recovery, oemfs); 108 109 # Reboot the device 110 set_prop(recovery, powerctl_prop) 111 112 # Start/stop adbd via ctl.start adbd 113 set_prop(recovery, ctl_default_prop) 114 115 # Read serial number of the device from system properties 116 get_prop(recovery, serialno_prop) 117 118 # Set sys.usb.ffs.ready when starting minadbd for sideload. 119 set_prop(recovery, ffs_prop) 120 121 # Use setfscreatecon() to label files for OTA updates. 122 allow recovery self:process setfscreate; 123 124 # Allow recovery to create a fuse filesystem, and read files from it. 125 allow recovery fuse_device:chr_file rw_file_perms; 126 allow recovery fuse:dir r_dir_perms; 127 allow recovery fuse:file r_file_perms; 128 129 wakelock_use(recovery) 130 131 # This line seems suspect, as it should not really need to 132 # set scheduling parameters for a kernel domain task. 133 allow recovery kernel:process setsched; 134 ') 135 136 ### 137 ### neverallow rules 138 ### 139 140 # Recovery should never touch /data. 141 # 142 # In particular, if /data is encrypted, it is not accessible 143 # to recovery anyway. 144 # 145 # For now, we only enforce write/execute restrictions, as domain.te 146 # contains a number of read-only rules that apply to all 147 # domains, including recovery. 148 # 149 # TODO: tighten this up further. 150 neverallow recovery { 151 data_file_type 152 -cache_file 153 -cache_recovery_file 154 }:file { no_w_file_perms no_x_file_perms }; 155 neverallow recovery { 156 data_file_type 157 -cache_file 158 -cache_recovery_file 159 }:dir no_w_dir_perms; 160
