2014-01-13 15:45:45 +01:00
|
|
|
# recovery console (used in recovery init.rc for /sbin/recovery)
|
2014-05-29 22:40:15 +02:00
|
|
|
|
|
|
|
# Declare the domain unconditionally so we can always reference it
|
|
|
|
# in neverallow rules.
|
2015-11-03 18:54:39 +01:00
|
|
|
type recovery, domain, domain_deprecated;
|
2014-01-13 15:45:45 +01:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# But the allow rules are only included in the recovery policy.
|
|
|
|
# Otherwise recovery is only allowed the domain rules.
|
|
|
|
recovery_only(`
|
2016-08-04 05:31:37 +02:00
|
|
|
# Allow recovery to perform an update as update_engine would do.
|
|
|
|
typeattribute recovery update_engine_common, boot_control_hal;
|
|
|
|
|
2014-06-19 18:15:22 +02:00
|
|
|
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
2014-06-04 01:16:21 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Set security contexts on files that are not known to the loaded policy.
|
|
|
|
allow recovery self:capability2 mac_admin;
|
2014-01-30 19:23:08 +01:00
|
|
|
|
2014-06-19 15:07:17 +02:00
|
|
|
# Run helpers from / or /system without changing domain.
|
|
|
|
allow recovery rootfs:file execute_no_trans;
|
|
|
|
allow recovery system_file:file execute_no_trans;
|
2015-08-25 17:38:29 +02:00
|
|
|
allow recovery toolbox_exec:file rx_file_perms;
|
2014-06-19 15:07:17 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Mount filesystems.
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery rootfs:dir mounton;
|
2014-06-16 19:05:38 +02:00
|
|
|
allow recovery fs_type:filesystem ~relabelto;
|
|
|
|
allow recovery unlabeled:filesystem ~relabelto;
|
|
|
|
allow recovery contextmount_type:filesystem relabelto;
|
2014-01-13 15:45:45 +01:00
|
|
|
|
2014-06-05 08:43:03 +02:00
|
|
|
# Create and relabel files and directories under /system.
|
|
|
|
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
2016-09-19 22:40:25 +02:00
|
|
|
allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
2014-06-05 08:43:03 +02:00
|
|
|
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
|
2014-07-07 22:19:24 +02:00
|
|
|
# We may be asked to set an SELinux label for a type not known to the
|
|
|
|
# currently loaded policy. Allow it.
|
2014-10-23 21:12:58 +02:00
|
|
|
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
2014-07-07 22:19:24 +02:00
|
|
|
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
|
recovery: Allow exec_type on dirs, read for /dev
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
|
|
|
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
|
|
|
|
# support to OTAs. However, that code has a bug. When an update occurs,
|
|
|
|
# some directories are inappropriately labeled as exec_type. This is
|
|
|
|
# only transient, and subsequent steps in the OTA script correct this
|
2015-03-05 23:58:30 +01:00
|
|
|
# mistake. New devices are moving to block based OTAs, so this is not
|
|
|
|
# worth fixing. b/15575013
|
recovery: Allow exec_type on dirs, read for /dev
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
|
|
|
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
|
2014-06-05 08:43:03 +02:00
|
|
|
# Write to /proc/sys/vm/drop_caches
|
2015-05-15 05:55:31 +02:00
|
|
|
allow recovery proc_drop_caches:file w_file_perms;
|
2014-05-29 20:35:55 +02:00
|
|
|
|
2014-06-19 18:15:22 +02:00
|
|
|
# Write to /sys/class/android_usb/android0/enable.
|
|
|
|
# TODO: create more specific label?
|
|
|
|
allow recovery sysfs:file w_file_perms;
|
|
|
|
|
2016-11-22 22:53:01 +01:00
|
|
|
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
|
|
|
|
allow recovery sysfs_devices_system_cpu:file w_file_perms;
|
|
|
|
|
2016-02-17 21:23:13 +01:00
|
|
|
allow recovery sysfs_batteryinfo:file r_file_perms;
|
|
|
|
|
2016-01-26 08:42:54 +01:00
|
|
|
allow recovery kernel:system syslog_read;
|
2014-12-09 21:43:26 +01:00
|
|
|
|
2017-01-11 23:58:28 +01:00
|
|
|
# Access /dev/usb-ffs/adb/ep0
|
2014-07-10 22:40:25 +02:00
|
|
|
allow recovery functionfs:dir search;
|
|
|
|
allow recovery functionfs:file rw_file_perms;
|
2014-06-19 18:15:22 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Required to e.g. wipe userdata/cache.
|
recovery: Allow exec_type on dirs, read for /dev
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
|
|
|
allow recovery device:dir r_dir_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery block_device:dir r_dir_perms;
|
2014-05-29 22:40:15 +02:00
|
|
|
allow recovery dev_type:blk_file rw_file_perms;
|
2014-05-20 20:09:16 +02:00
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# GUI
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery graphics_device:chr_file rw_file_perms;
|
|
|
|
allow recovery graphics_device:dir r_dir_perms;
|
|
|
|
allow recovery input_device:dir r_dir_perms;
|
|
|
|
allow recovery input_device:chr_file r_file_perms;
|
2014-06-07 20:48:35 +02:00
|
|
|
allow recovery tty_device:chr_file rw_file_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
|
|
|
# Create /tmp/recovery.log and execute /tmp/update_binary.
|
|
|
|
allow recovery tmpfs:file { create_file_perms x_file_perms };
|
|
|
|
allow recovery tmpfs:dir create_dir_perms;
|
2014-02-11 20:40:14 +01:00
|
|
|
|
2015-12-22 21:37:17 +01:00
|
|
|
# Manage files on /cache and /cache/recovery
|
|
|
|
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
|
|
|
|
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
2015-06-11 00:52:49 +02:00
|
|
|
# Read files on /oem.
|
|
|
|
r_dir_file(recovery, oemfs);
|
|
|
|
|
2014-06-04 01:16:21 +02:00
|
|
|
# Reboot the device
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(recovery, powerctl_prop)
|
2014-05-23 17:26:19 +02:00
|
|
|
|
2014-06-19 16:27:02 +02:00
|
|
|
# Start/stop adbd via ctl.start adbd
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(recovery, ctl_default_prop)
|
2014-06-19 16:27:02 +02:00
|
|
|
|
2016-12-27 21:38:07 +01:00
|
|
|
# Read serial number of the device from system properties
|
2016-12-21 00:31:37 +01:00
|
|
|
get_prop(recovery, serialno_prop)
|
|
|
|
|
2014-05-29 22:40:15 +02:00
|
|
|
# Use setfscreatecon() to label files for OTA updates.
|
|
|
|
allow recovery self:process setfscreate;
|
2014-06-04 01:16:21 +02:00
|
|
|
|
2014-07-08 20:45:09 +02:00
|
|
|
# Allow recovery to create a fuse filesystem, and read files from it.
|
2014-07-02 19:28:20 +02:00
|
|
|
allow recovery fuse_device:chr_file rw_file_perms;
|
2014-07-08 20:45:09 +02:00
|
|
|
allow recovery fuse:dir r_dir_perms;
|
|
|
|
allow recovery fuse:file r_file_perms;
|
2014-07-02 19:28:20 +02:00
|
|
|
|
2014-06-04 01:16:21 +02:00
|
|
|
wakelock_use(recovery)
|
2014-06-07 20:48:35 +02:00
|
|
|
|
2014-06-10 05:35:51 +02:00
|
|
|
# This line seems suspect, as it should not really need to
|
2014-06-07 20:48:35 +02:00
|
|
|
# set scheduling parameters for a kernel domain task.
|
2014-06-04 01:16:21 +02:00
|
|
|
allow recovery kernel:process setsched;
|
2014-05-29 22:40:15 +02:00
|
|
|
')
|
2014-11-06 00:30:41 +01:00
|
|
|
|
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Recovery should never touch /data.
|
|
|
|
#
|
|
|
|
# In particular, if /data is encrypted, it is not accessible
|
|
|
|
# to recovery anyway.
|
|
|
|
#
|
|
|
|
# For now, we only enforce write/execute restrictions, as domain.te
|
|
|
|
# contains a number of read-only rules that apply to all
|
|
|
|
# domains, including recovery.
|
|
|
|
#
|
|
|
|
# TODO: tighten this up further.
|
|
|
|
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
|
|
|
|
neverallow recovery data_file_type:dir no_w_dir_perms;
|