1type copy_efs_files_to_data, domain;
2type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type;
3
4init_daemon_domain(copy_efs_files_to_data);
5
6
7
8# Allow creating files on /data/vendor/copied
9allow copy_efs_files_to_data modem_efs_image_file:dir  { create_dir_perms };
10allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms };
11allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms };
12
13
14# Allow execute binaries from /vendor/bin
15allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms;
16allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms;
17
18# Allow execute /vendor/bin/dump.f2fs
19allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans };
20
21# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs
22allow copy_efs_files_to_data block_device:dir search;
23allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms;
24allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms;
25allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms;
26
27# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist
28allow copy_efs_files_to_data modem_efs_file:dir getattr;
29allow copy_efs_files_to_data modem_userdata_file:dir getattr;
30allow copy_efs_files_to_data persist_file:dir getattr;
31
32
33allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms;
34allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms;
35
36# dump.f2fs need to restore file permissions after dumping
37# files from an f2fs image
38allow copy_efs_files_to_data self:capability chown;
39allow copy_efs_files_to_data self:capability fowner;
40
41
42allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr };
43
44
45
46# Should not write to any block devices. Only read from block device
47# and dump files to /data/vendor/copied
48dontaudit copy_efs_files_to_data dev_type:blk_file write;
49# Setting xattr requires sys_admin
50dontaudit copy_efs_files_to_data self:capability sys_admin;
51# dump.f2fs would attempt to restore selinux on dumped files, but we
52# will use restorecon to do the job.
53dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom;
54dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom;
55dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto;
56dontaudit copy_efs_files_to_data modem_efs_file:file relabelto;
57dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto;
58dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto;
59dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto;
60dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto;
61