1# recovery console (used in recovery init.rc for /sbin/recovery)
2
3# Declare the domain unconditionally so we can always reference it
4# in neverallow rules.
5type recovery, domain;
6
7# But the allow rules are only included in the recovery policy.
8# Otherwise recovery is only allowed the domain rules.
9recovery_only(`
10  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
11
12  # Set security contexts on files that are not known to the loaded policy.
13  allow recovery self:capability2 mac_admin;
14
15  # Run helpers from / or /system without changing domain.
16  allow recovery rootfs:file execute_no_trans;
17  allow recovery system_file:file execute_no_trans;
18
19  # Mount filesystems.
20  allow recovery rootfs:dir mounton;
21  allow recovery fs_type:filesystem ~relabelto;
22  allow recovery unlabeled:filesystem ~relabelto;
23  allow recovery contextmount_type:filesystem relabelto;
24
25  # Create and relabel files and directories under /system.
26  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
27  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
28  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
29
30  # We may be asked to set an SELinux label for a type not known to the
31  # currently loaded policy. Allow it.
32  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
33  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
34
35  # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
36  # support to OTAs. However, that code has a bug. When an update occurs,
37  # some directories are inappropriately labeled as exec_type. This is
38  # only transient, and subsequent steps in the OTA script correct this
39  # mistake. New devices are moving to block based OTAs, so this is not
40  # worth fixing. b/15575013
41  allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
42
43  # Write to /proc/sys/vm/drop_caches
44  allow recovery proc_drop_caches:file w_file_perms;
45
46  # Write to /sys/class/android_usb/android0/enable.
47  # TODO: create more specific label?
48  allow recovery sysfs:file w_file_perms;
49
50  access_kmsg(recovery)
51
52  # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
53  allow recovery adb_device:chr_file rw_file_perms;
54  allow recovery functionfs:dir search;
55  allow recovery functionfs:file rw_file_perms;
56
57  # Required to e.g. wipe userdata/cache.
58  allow recovery device:dir r_dir_perms;
59  allow recovery block_device:dir r_dir_perms;
60  allow recovery dev_type:blk_file rw_file_perms;
61
62  # GUI
63  allow recovery self:process execmem;
64  allow recovery ashmem_device:chr_file execute;
65  allow recovery graphics_device:chr_file rw_file_perms;
66  allow recovery graphics_device:dir r_dir_perms;
67  allow recovery input_device:dir r_dir_perms;
68  allow recovery input_device:chr_file r_file_perms;
69  allow recovery tty_device:chr_file rw_file_perms;
70
71  # Create /tmp/recovery.log and execute /tmp/update_binary.
72  allow recovery tmpfs:file { create_file_perms x_file_perms };
73  allow recovery tmpfs:dir create_dir_perms;
74
75  # Manage files on /cache
76  allow recovery cache_file:dir create_dir_perms;
77  allow recovery cache_file:file create_file_perms;
78
79  # Read files on /oem.
80  r_dir_file(recovery, oemfs);
81
82  # Reboot the device
83  set_prop(recovery, powerctl_prop)
84
85  # Start/stop adbd via ctl.start adbd
86  set_prop(recovery, ctl_default_prop)
87
88  # Use setfscreatecon() to label files for OTA updates.
89  allow recovery self:process setfscreate;
90
91  # Allow recovery to create a fuse filesystem, and read files from it.
92  allow recovery fuse_device:chr_file rw_file_perms;
93  allow recovery fuse:dir r_dir_perms;
94  allow recovery fuse:file r_file_perms;
95
96  wakelock_use(recovery)
97
98  # This line seems suspect, as it should not really need to
99  # set scheduling parameters for a kernel domain task.
100  allow recovery kernel:process setsched;
101')
102
103###
104### neverallow rules
105###
106
107# Recovery should never touch /data.
108#
109# In particular, if /data is encrypted, it is not accessible
110# to recovery anyway.
111#
112# For now, we only enforce write/execute restrictions, as domain.te
113# contains a number of read-only rules that apply to all
114# domains, including recovery.
115#
116# TODO: tighten this up further.
117neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
118neverallow recovery data_file_type:dir no_w_dir_perms;
119