platform_system_sepolicy/public/recovery.te

179 lines
5.9 KiB
Text
Raw Normal View History

# recovery console (used in recovery init.rc for /sbin/recovery)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
typeattribute recovery update_engine_common;
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:global_capability_class_set {
chown
dac_override
dac_read_search
fowner
setuid
setgid
sys_admin
sys_tty_config
};
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
# Get file contexts
allow recovery file_contexts_file:file r_file_perms;
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
# Read /proc/swaps
allow recovery proc_swaps:file r_file_perms;
# Read kernel config through libvintf for OTA matching
allow recovery config_gz:file { open read getattr };
# Write to /sys/class/android_usb/android0/enable.
r_dir_file(recovery, sysfs_android_usb)
allow recovery sysfs_android_usb:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
allow recovery sysfs_batteryinfo:file r_file_perms;
# Read /sysfs/fs/ext4/features
r_dir_file(recovery, sysfs_fs_ext4_features)
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
# control backlight brightness.
allow recovery sysfs_leds:dir r_dir_perms;
allow recovery sysfs_leds:file rw_file_perms;
allow recovery sysfs_leds:lnk_file read;
allow recovery kernel:system syslog_read;
# Access /dev/usb-ffs/adb/ep0
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# Access to /sys/fs/selinux/policyvers for compatibility check
allow recovery selinuxfs:file r_file_perms;
# Required to e.g. wipe userdata/cache.
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
allow recovery tty_device:chr_file rw_file_perms;
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
# Manage files on /cache and /cache/recovery
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
# Read /sys/class/thermal/*/temp for thermal info.
r_dir_file(recovery, sysfs_thermal)
# Read files on /oem.
r_dir_file(recovery, oemfs);
# Reboot the device
set_prop(recovery, powerctl_prop)
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
set_prop(recovery, exported_ffs_prop)
# Set sys.usb.config when switching into fastboot.
set_prop(recovery, system_radio_prop)
set_prop(recovery, exported_system_radio_prop)
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
# Allow recovery to create a fuse filesystem, and read files from it.
allow recovery fuse_device:chr_file rw_file_perms;
allow recovery fuse:dir r_dir_perms;
allow recovery fuse:file r_file_perms;
wakelock_use(recovery)
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
# These are needed to update dynamic partitions in recovery.
r_dir_file(recovery, sysfs_dm)
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
set_prop(recovery, gsid_prop)
allow recovery gsi_metadata_file:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
')
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms;