1# recovery console (used in recovery init.rc for /sbin/recovery) 2 3# Declare the domain unconditionally so we can always reference it 4# in neverallow rules. 5type recovery, domain; 6 7# But the allow rules are only included in the recovery policy. 8# Otherwise recovery is only allowed the domain rules. 9recovery_only(` 10 allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; 11 12 # Set security contexts on files that are not known to the loaded policy. 13 allow recovery self:capability2 mac_admin; 14 15 # Run helpers from / or /system without changing domain. 16 allow recovery rootfs:file execute_no_trans; 17 allow recovery system_file:file execute_no_trans; 18 19 # Mount filesystems. 20 allow recovery rootfs:dir mounton; 21 allow recovery fs_type:filesystem ~relabelto; 22 allow recovery unlabeled:filesystem ~relabelto; 23 allow recovery contextmount_type:filesystem relabelto; 24 25 # Create and relabel files and directories under /system. 26 allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 27 allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 28 allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; 29 30 # We may be asked to set an SELinux label for a type not known to the 31 # currently loaded policy. Allow it. 32 allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; 33 allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; 34 35 # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux 36 # support to OTAs. However, that code has a bug. When an update occurs, 37 # some directories are inappropriately labeled as exec_type. This is 38 # only transient, and subsequent steps in the OTA script correct this 39 # mistake. New devices are moving to block based OTAs, so this is not 40 # worth fixing. b/15575013 41 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; 42 43 # Write to /proc/sys/vm/drop_caches 44 allow recovery proc_drop_caches:file w_file_perms; 45 46 # Write to /sys/class/android_usb/android0/enable. 47 # TODO: create more specific label? 48 allow recovery sysfs:file w_file_perms; 49 50 access_kmsg(recovery) 51 52 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 53 allow recovery adb_device:chr_file rw_file_perms; 54 allow recovery functionfs:dir search; 55 allow recovery functionfs:file rw_file_perms; 56 57 # Required to e.g. wipe userdata/cache. 58 allow recovery device:dir r_dir_perms; 59 allow recovery block_device:dir r_dir_perms; 60 allow recovery dev_type:blk_file rw_file_perms; 61 62 # GUI 63 allow recovery self:process execmem; 64 allow recovery ashmem_device:chr_file execute; 65 allow recovery graphics_device:chr_file rw_file_perms; 66 allow recovery graphics_device:dir r_dir_perms; 67 allow recovery input_device:dir r_dir_perms; 68 allow recovery input_device:chr_file r_file_perms; 69 allow recovery tty_device:chr_file rw_file_perms; 70 71 # Create /tmp/recovery.log and execute /tmp/update_binary. 72 allow recovery tmpfs:file { create_file_perms x_file_perms }; 73 allow recovery tmpfs:dir create_dir_perms; 74 75 # Manage files on /cache 76 allow recovery cache_file:dir create_dir_perms; 77 allow recovery cache_file:file create_file_perms; 78 79 # Read files on /oem. 80 r_dir_file(recovery, oemfs); 81 82 # Reboot the device 83 set_prop(recovery, powerctl_prop) 84 85 # Start/stop adbd via ctl.start adbd 86 set_prop(recovery, ctl_default_prop) 87 88 # Use setfscreatecon() to label files for OTA updates. 89 allow recovery self:process setfscreate; 90 91 # Allow recovery to create a fuse filesystem, and read files from it. 92 allow recovery fuse_device:chr_file rw_file_perms; 93 allow recovery fuse:dir r_dir_perms; 94 allow recovery fuse:file r_file_perms; 95 96 wakelock_use(recovery) 97 98 # This line seems suspect, as it should not really need to 99 # set scheduling parameters for a kernel domain task. 100 allow recovery kernel:process setsched; 101') 102 103### 104### neverallow rules 105### 106 107# Recovery should never touch /data. 108# 109# In particular, if /data is encrypted, it is not accessible 110# to recovery anyway. 111# 112# For now, we only enforce write/execute restrictions, as domain.te 113# contains a number of read-only rules that apply to all 114# domains, including recovery. 115# 116# TODO: tighten this up further. 117neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms }; 118neverallow recovery data_file_type:dir no_w_dir_perms; 119