1type copy_efs_files_to_data, domain; 2type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; 3 4init_daemon_domain(copy_efs_files_to_data); 5 6 7 8# Allow creating files on /data/vendor/copied 9allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; 10allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; 11allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; 12 13 14# Allow execute binaries from /vendor/bin 15allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; 16allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; 17 18# Allow execute /vendor/bin/dump.f2fs 19allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans }; 20 21# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs 22allow copy_efs_files_to_data block_device:dir search; 23allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms; 24allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms; 25allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms; 26 27# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist 28allow copy_efs_files_to_data modem_efs_file:dir getattr; 29allow copy_efs_files_to_data modem_userdata_file:dir getattr; 30allow copy_efs_files_to_data persist_file:dir getattr; 31 32 33allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms; 34allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms; 35 36# dump.f2fs need to restore file permissions after dumping 37# files from an f2fs image 38allow copy_efs_files_to_data self:capability chown; 39allow copy_efs_files_to_data self:capability fowner; 40 41 42allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; 43 44 45 46# Should not write to any block devices. Only read from block device 47# and dump files to /data/vendor/copied 48dontaudit copy_efs_files_to_data dev_type:blk_file write; 49# Setting xattr requires sys_admin 50dontaudit copy_efs_files_to_data self:capability sys_admin; 51# dump.f2fs would attempt to restore selinux on dumped files, but we 52# will use restorecon to do the job. 53dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom; 54dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom; 55dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto; 56dontaudit copy_efs_files_to_data modem_efs_file:file relabelto; 57dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto; 58dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto; 59dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto; 60dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto; 61