platform_system_sepolicy/recovery.te

89 lines
3.4 KiB
Text
Raw Normal View History

# recovery console (used in recovery init.rc for /sbin/recovery)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
allow recovery rootfs:file { entrypoint execute };
permissive_or_unconfined(recovery)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
# only transient, and subsequent steps in the OTA script correct this
# mistake.
# Allow this behavior for now until we can fix the underlying bug.
# b/15575013
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
# TODO: create more specific label?
allow recovery proc:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
# Access /dev/android_adb.
allow recovery adb_device:chr_file rw_file_perms;
# Required to e.g. wipe userdata/cache.
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
# GUI
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
allow recovery tty_device:chr_file rw_file_perms;
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
# Manage files on /cache
allow recovery cache_file:dir create_dir_perms;
allow recovery cache_file:file create_file_perms;
# Reboot the device
allow recovery powerctl_prop:property_service set;
unix_socket_connect(recovery, property, init)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
wakelock_use(recovery)
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
')