2014-01-13 15:45:45 +01:00
|
|
|
# recovery console (used in recovery init.rc for /sbin/recovery)
|
2014-05-29 22:40:15 +02:00
|
|
|
|
|
|
|
# Declare the domain unconditionally so we can always reference it
|
|
|
|
# in neverallow rules.
|
2017-05-15 22:19:03 +02:00
|
|
|
type recovery, domain;
|
2014-01-13 15:45:45 +01:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# But the allow rules are only included in the recovery policy.
|
|
|
|
# Otherwise recovery is only allowed the domain rules.
|
|
|
|
recovery_only(`
|
2016-08-04 05:31:37 +02:00
|
|
|
# Allow recovery to perform an update as update_engine would do.
|
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
|
|
|
typeattribute recovery update_engine_common;
|
2017-03-20 21:11:33 +01:00
|
|
|
# Recovery can only use HALs in passthrough mode
|
|
|
|
passthrough_hal_client_domain(recovery, hal_bootctl)
|
2016-08-04 05:31:37 +02:00
|
|
|
|
2017-12-11 18:22:01 +01:00
|
|
|
allow recovery self:global_capability_class_set {
|
|
|
|
chown
|
|
|
|
dac_override
|
2018-09-07 00:19:40 +02:00
|
|
|
dac_read_search
|
2017-12-11 18:22:01 +01:00
|
|
|
fowner
|
|
|
|
setuid
|
|
|
|
setgid
|
|
|
|
sys_admin
|
|
|
|
sys_tty_config
|
|
|
|
};
|
2014-01-30 19:23:08 +01:00
|
|
|
|
2014-06-19 15:07:17 +02:00
|
|
|
# Run helpers from / or /system without changing domain.
|
2017-06-14 19:11:12 +02:00
|
|
|
r_dir_file(recovery, rootfs)
|
2014-06-19 15:07:17 +02:00
|
|
|
allow recovery rootfs:file execute_no_trans;
|
|
|
|
allow recovery system_file:file execute_no_trans;
|
2015-08-25 17:38:29 +02:00
|
|
|
allow recovery toolbox_exec:file rx_file_perms;
|
2014-06-19 15:07:17 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Mount filesystems.
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery rootfs:dir mounton;
|
2018-06-01 05:31:33 +02:00
|
|
|
allow recovery tmpfs:dir mounton;
|
2014-06-16 19:05:38 +02:00
|
|
|
allow recovery fs_type:filesystem ~relabelto;
|
|
|
|
allow recovery unlabeled:filesystem ~relabelto;
|
|
|
|
allow recovery contextmount_type:filesystem relabelto;
|
2014-01-13 15:45:45 +01:00
|
|
|
|
2017-12-11 18:22:01 +01:00
|
|
|
# We may be asked to set an SELinux label for a type not known to the
|
|
|
|
# currently loaded policy. Allow it.
|
|
|
|
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
|
|
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
|
2017-03-24 23:02:13 +01:00
|
|
|
# Get file contexts
|
|
|
|
allow recovery file_contexts_file:file r_file_perms;
|
2014-07-07 22:19:24 +02:00
|
|
|
|
2014-06-05 08:43:03 +02:00
|
|
|
# Write to /proc/sys/vm/drop_caches
|
2015-05-15 05:55:31 +02:00
|
|
|
allow recovery proc_drop_caches:file w_file_perms;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
2017-10-26 19:29:52 +02:00
|
|
|
# Read /proc/swaps
|
|
|
|
allow recovery proc_swaps:file r_file_perms;
|
|
|
|
|
2017-04-19 20:35:15 +02:00
|
|
|
# Read kernel config through libvintf for OTA matching
|
|
|
|
allow recovery config_gz:file { open read getattr };
|
|
|
|
|
2017-10-17 01:19:47 +02:00
|
|
|
# Write to /sys/class/android_usb/android0/enable.
|
|
|
|
r_dir_file(recovery, sysfs_android_usb)
|
|
|
|
allow recovery sysfs_android_usb:file w_file_perms;
|
2014-06-19 18:15:22 +02:00
|
|
|
|
2016-11-22 22:53:01 +01:00
|
|
|
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
|
|
|
|
allow recovery sysfs_devices_system_cpu:file w_file_perms;
|
|
|
|
|
2016-02-17 21:23:13 +01:00
|
|
|
allow recovery sysfs_batteryinfo:file r_file_perms;
|
|
|
|
|
2017-10-26 19:29:52 +02:00
|
|
|
# Read /sysfs/fs/ext4/features
|
|
|
|
r_dir_file(recovery, sysfs_fs_ext4_features)
|
|
|
|
|
2017-01-25 08:29:11 +01:00
|
|
|
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
|
|
|
|
# control backlight brightness.
|
|
|
|
allow recovery sysfs_leds:dir r_dir_perms;
|
|
|
|
allow recovery sysfs_leds:file rw_file_perms;
|
|
|
|
allow recovery sysfs_leds:lnk_file read;
|
|
|
|
|
2016-01-26 08:42:54 +01:00
|
|
|
allow recovery kernel:system syslog_read;
|
2014-12-09 21:43:26 +01:00
|
|
|
|
2017-01-11 23:58:28 +01:00
|
|
|
# Access /dev/usb-ffs/adb/ep0
|
2014-07-10 22:40:25 +02:00
|
|
|
allow recovery functionfs:dir search;
|
|
|
|
allow recovery functionfs:file rw_file_perms;
|
2018-11-21 21:37:40 +01:00
|
|
|
allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
|
2014-06-19 18:15:22 +02:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Access to /sys/fs/selinux/policyvers for compatibility check
|
|
|
|
allow recovery selinuxfs:file r_file_perms;
|
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Required to e.g. wipe userdata/cache.
|
recovery: Allow exec_type on dirs, read for /dev
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
|
|
|
allow recovery device:dir r_dir_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery block_device:dir r_dir_perms;
|
2014-05-29 22:40:15 +02:00
|
|
|
allow recovery dev_type:blk_file rw_file_perms;
|
2019-12-26 23:48:21 +01:00
|
|
|
allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
|
2014-05-20 20:09:16 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# GUI
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery graphics_device:chr_file rw_file_perms;
|
|
|
|
allow recovery graphics_device:dir r_dir_perms;
|
|
|
|
allow recovery input_device:dir r_dir_perms;
|
|
|
|
allow recovery input_device:chr_file r_file_perms;
|
2014-06-07 20:48:35 +02:00
|
|
|
allow recovery tty_device:chr_file rw_file_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
|
|
|
# Create /tmp/recovery.log and execute /tmp/update_binary.
|
|
|
|
allow recovery tmpfs:file { create_file_perms x_file_perms };
|
|
|
|
allow recovery tmpfs:dir create_dir_perms;
|
2014-02-11 20:40:14 +01:00
|
|
|
|
2015-12-22 21:37:17 +01:00
|
|
|
# Manage files on /cache and /cache/recovery
|
|
|
|
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
|
|
|
|
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
2017-04-05 21:43:33 +02:00
|
|
|
# Read /sys/class/thermal/*/temp for thermal info.
|
2017-04-14 23:06:22 +02:00
|
|
|
r_dir_file(recovery, sysfs_thermal)
|
2017-04-05 21:43:33 +02:00
|
|
|
|
2015-06-11 00:52:49 +02:00
|
|
|
# Read files on /oem.
|
|
|
|
r_dir_file(recovery, oemfs);
|
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Use setfscreatecon() to label files for OTA updates.
|
|
|
|
allow recovery self:process setfscreate;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
2014-07-08 20:45:09 +02:00
|
|
|
# Allow recovery to create a fuse filesystem, and read files from it.
|
2014-07-02 19:28:20 +02:00
|
|
|
allow recovery fuse_device:chr_file rw_file_perms;
|
2014-07-08 20:45:09 +02:00
|
|
|
allow recovery fuse:dir r_dir_perms;
|
|
|
|
allow recovery fuse:file r_file_perms;
|
2014-07-02 19:28:20 +02:00
|
|
|
|
2014-06-04 01:16:21 +02:00
|
|
|
wakelock_use(recovery)
|
2014-06-07 20:48:35 +02:00
|
|
|
|
2014-06-10 05:35:51 +02:00
|
|
|
# This line seems suspect, as it should not really need to
|
2014-06-07 20:48:35 +02:00
|
|
|
# set scheduling parameters for a kernel domain task.
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery kernel:process setsched;
|
2019-05-22 01:22:21 +02:00
|
|
|
|
|
|
|
# These are needed to update dynamic partitions in recovery.
|
|
|
|
r_dir_file(recovery, sysfs_dm)
|
|
|
|
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
2019-10-18 04:07:52 +02:00
|
|
|
|
|
|
|
# Allow using libfiemap/gsid directly (no binder in recovery).
|
|
|
|
allow recovery gsi_metadata_file:dir search;
|
|
|
|
allow recovery ota_metadata_file:dir rw_dir_perms;
|
|
|
|
allow recovery ota_metadata_file:file create_file_perms;
|
2020-03-17 00:33:54 +01:00
|
|
|
|
|
|
|
# Allow mounting /metadata for writing update states
|
|
|
|
allow recovery metadata_file:dir { getattr mounton };
|
2014-05-29 22:40:15 +02:00
|
|
|
')
|
2014-11-06 00:30:41 +01:00
|
|
|
|
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Recovery should never touch /data.
|
|
|
|
#
|
|
|
|
# In particular, if /data is encrypted, it is not accessible
|
|
|
|
# to recovery anyway.
|
|
|
|
#
|
|
|
|
# For now, we only enforce write/execute restrictions, as domain.te
|
|
|
|
# contains a number of read-only rules that apply to all
|
|
|
|
# domains, including recovery.
|
|
|
|
#
|
|
|
|
# TODO: tighten this up further.
|
2017-09-26 21:58:29 +02:00
|
|
|
neverallow recovery {
|
|
|
|
data_file_type
|
|
|
|
-cache_file
|
|
|
|
-cache_recovery_file
|
2019-06-14 00:05:15 +02:00
|
|
|
with_native_coverage(`-method_trace_data_file')
|
2017-09-26 21:58:29 +02:00
|
|
|
}:file { no_w_file_perms no_x_file_perms };
|
|
|
|
neverallow recovery {
|
|
|
|
data_file_type
|
|
|
|
-cache_file
|
|
|
|
-cache_recovery_file
|
2019-06-14 00:05:15 +02:00
|
|
|
with_native_coverage(`-method_trace_data_file')
|
2017-09-26 21:58:29 +02:00
|
|
|
}:dir no_w_dir_perms;
|