# recovery console (used in recovery init.rc for /sbin/recovery) # Declare the domain unconditionally so we can always reference it # in neverallow rules. type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. recovery_only(` # Allow recovery to perform an update as update_engine would do. typeattribute recovery update_engine_common; # Recovery can only use HALs in passthrough mode passthrough_hal_client_domain(recovery, hal_bootctl) allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; # Set security contexts on files that are not known to the loaded policy. allow recovery self:capability2 mac_admin; # Run helpers from / or /system without changing domain. r_dir_file(recovery, rootfs) allow recovery rootfs:file execute_no_trans; allow recovery system_file:file execute_no_trans; allow recovery toolbox_exec:file rx_file_perms; # Mount filesystems. allow recovery rootfs:dir mounton; allow recovery fs_type:filesystem ~relabelto; allow recovery unlabeled:filesystem ~relabelto; allow recovery contextmount_type:filesystem relabelto; # Create and relabel files and directories under /system. allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto }; allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; # We may be asked to set an SELinux label for a type not known to the # currently loaded policy. Allow it. allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; # Get file contexts allow recovery file_contexts_file:file r_file_perms; # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux # support to OTAs. However, that code has a bug. When an update occurs, # some directories are inappropriately labeled as exec_type. This is # only transient, and subsequent steps in the OTA script correct this # mistake. New devices are moving to block based OTAs, so this is not # worth fixing. b/15575013 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; # Write to /proc/sys/vm/drop_caches allow recovery proc_drop_caches:file w_file_perms; # Read kernel config through libvintf for OTA matching allow recovery config_gz:file { open read getattr }; # Write to /sys/class/android_usb/android0/enable. # TODO: create more specific label? r_dir_file(recovery, sysfs) allow recovery sysfs:file w_file_perms; # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. allow recovery sysfs_devices_system_cpu:file w_file_perms; allow recovery sysfs_batteryinfo:file r_file_perms; # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to # control backlight brightness. allow recovery sysfs_leds:dir r_dir_perms; allow recovery sysfs_leds:file rw_file_perms; allow recovery sysfs_leds:lnk_file read; allow recovery kernel:system syslog_read; # Access /dev/usb-ffs/adb/ep0 allow recovery functionfs:dir search; allow recovery functionfs:file rw_file_perms; # Access to /sys/fs/selinux/policyvers for compatibility check allow recovery selinuxfs:file r_file_perms; # Required to e.g. wipe userdata/cache. allow recovery device:dir r_dir_perms; allow recovery block_device:dir r_dir_perms; allow recovery dev_type:blk_file rw_file_perms; # GUI allow recovery graphics_device:chr_file rw_file_perms; allow recovery graphics_device:dir r_dir_perms; allow recovery input_device:dir r_dir_perms; allow recovery input_device:chr_file r_file_perms; allow recovery tty_device:chr_file rw_file_perms; # Create /tmp/recovery.log and execute /tmp/update_binary. allow recovery tmpfs:file { create_file_perms x_file_perms }; allow recovery tmpfs:dir create_dir_perms; # Manage files on /cache and /cache/recovery allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; allow recovery { cache_file cache_recovery_file }:file create_file_perms; # Read /sys/class/thermal/*/temp for thermal info. r_dir_file(recovery, sysfs_thermal) # Read files on /oem. r_dir_file(recovery, oemfs); # Reboot the device set_prop(recovery, powerctl_prop) # Start/stop adbd via ctl.start adbd set_prop(recovery, ctl_default_prop) # Read serial number of the device from system properties get_prop(recovery, serialno_prop) # Set sys.usb.ffs.ready when starting minadbd for sideload. set_prop(recovery, ffs_prop) # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; # Allow recovery to create a fuse filesystem, and read files from it. allow recovery fuse_device:chr_file rw_file_perms; allow recovery fuse:dir r_dir_perms; allow recovery fuse:file r_file_perms; wakelock_use(recovery) # This line seems suspect, as it should not really need to # set scheduling parameters for a kernel domain task. allow recovery kernel:process setsched; ') ### ### neverallow rules ### # Recovery should never touch /data. # # In particular, if /data is encrypted, it is not accessible # to recovery anyway. # # For now, we only enforce write/execute restrictions, as domain.te # contains a number of read-only rules that apply to all # domains, including recovery. # # TODO: tighten this up further. neverallow recovery { data_file_type -cache_file -cache_recovery_file }:file { no_w_file_perms no_x_file_perms }; neverallow recovery { data_file_type -cache_file -cache_recovery_file }:dir no_w_dir_perms;