typeattribute fastbootd coredomain; # The allow rules are only included in the recovery policy. # Otherwise fastbootd is only allowed the domain rules. recovery_only(` # Reboot the device set_prop(fastbootd, powerctl_prop) # Read serial number of the device from system properties get_prop(fastbootd, serialno_prop) # Set sys.usb.ffs.ready. get_prop(fastbootd, ffs_config_prop) set_prop(fastbootd, ffs_control_prop) userdebug_or_eng(` get_prop(fastbootd, persistent_properties_ready_prop) ') set_prop(fastbootd, gsid_prop) # Determine allocation scheme (whether B partitions needs to be # at the second half of super. get_prop(fastbootd, virtual_ab_prop) get_prop(fastbootd, snapuserd_prop) # Needed for TCP protocol allow fastbootd node:tcp_socket node_bind; allow fastbootd port:tcp_socket name_bind; allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; # Start snapuserd for merging VABC updates set_prop(fastbootd, ctl_snapuserd_prop) # Needed to communicate with snapuserd to complete merges. allow fastbootd snapuserd_socket:sock_file write; allow fastbootd snapuserd:unix_stream_socket connectto; allow fastbootd dm_user_device:dir r_dir_perms; # Get fastbootd protocol property get_prop(fastbootd, fastbootd_protocol_prop) # Mount /metadata to interact with Virtual A/B snapshots. allow fastbootd labeledfs:filesystem { mount unmount }; set_prop(fastbootd, boottime_prop) # Needed for reading boot properties. allow fastbootd proc_bootconfig:file r_file_perms; # Let this domain use the hal fastboot service binder_use(fastbootd) hal_client_domain(fastbootd, hal_fastboot) # fastbootd can only use HALs in passthrough mode passthrough_hal_client_domain(fastbootd, hal_bootctl) # fastbootd can use AIDL HALs in binder mode binder_use(fastbootd) hal_client_domain(fastbootd, hal_health) hal_client_domain(fastbootd, hal_fastboot) # Access /dev/usb-ffs/fastbootd/ep0 allow fastbootd functionfs:dir search; allow fastbootd functionfs:file rw_file_perms; allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC }; # Log to serial allow fastbootd kmsg_device:chr_file { open getattr write }; # battery info allow fastbootd sysfs_batteryinfo:file r_file_perms; allow fastbootd device:dir r_dir_perms; # For dev/block/by-name dir allow fastbootd block_device:dir r_dir_perms; # Needed for DM_DEV_CREATE ioctl call allow fastbootd self:capability sys_admin; unix_socket_connect(fastbootd, recovery, recovery) # Required for flashing allow fastbootd dm_device:chr_file rw_file_perms; allow fastbootd dm_device:blk_file rw_file_perms; allow fastbootd cache_block_device:blk_file rw_file_perms; allow fastbootd super_block_device_type:blk_file rw_file_perms; allow fastbootd { boot_block_device metadata_block_device system_block_device userdata_block_device }:blk_file { w_file_perms getattr ioctl }; # For disabling/wiping GSI, and for modifying/deleting files created via # libfiemap. allow fastbootd metadata_block_device:blk_file r_file_perms; allow fastbootd {rootfs tmpfs}:dir mounton; allow fastbootd metadata_file:dir { search getattr mounton }; allow fastbootd gsi_metadata_file_type:dir rw_dir_perms; allow fastbootd gsi_metadata_file_type:file create_file_perms; allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; allowxperm fastbootd { metadata_block_device userdata_block_device dm_device cache_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; allow fastbootd misc_block_device:blk_file rw_file_perms; allow fastbootd proc_cmdline:file r_file_perms; allow fastbootd rootfs:dir r_dir_perms; # Needed to read fstab node from device tree. allow fastbootd sysfs_dt_firmware_android:file r_file_perms; allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms; # Needed because libdm reads sysfs to validate when a dm path is ready. r_dir_file(fastbootd, sysfs_dm) # Needed for realpath() call to resolve symlinks. allow fastbootd block_device:dir getattr; userdebug_or_eng(` # Refined manipulation of /mnt/scratch, without these perms resorts # to deleting scratch partition when partition(s) are flashed. allow fastbootd self:process setfscreate; allow fastbootd cache_file:dir search; allow fastbootd proc_filesystems:file { getattr open read }; allow fastbootd self:capability sys_rawio; allowxperm fastbootd dev_type:blk_file ioctl BLKROSET; allow fastbootd overlayfs_file:dir { create_dir_perms mounton }; allow fastbootd { system_file_type unlabeled vendor_file_type }:dir { remove_name rmdir search write }; allow fastbootd { overlayfs_file system_file_type unlabeled vendor_file_type }:{ file lnk_file } unlink; allow fastbootd tmpfs:dir rw_dir_perms; # Fetch vendor_boot partition allow fastbootd boot_block_device:blk_file r_file_perms; # popen(/system/bin/dmesg) and associated permissions. We only allow this # on unlocked devices running userdebug builds. allow fastbootd rootfs:file execute_no_trans; allow fastbootd system_file:file execute_no_trans; allow fastbootd kmsg_device:chr_file read; allow fastbootd kernel:system syslog_read; ') # Allow using libfiemap/gsid directly (no binder in recovery). allow fastbootd gsi_metadata_file_type:dir search; allow fastbootd ota_metadata_file:dir rw_dir_perms; allow fastbootd ota_metadata_file:file create_file_perms; ') # This capability allows fastbootd to circumvent memlock rlimits while using # io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service. allow fastbootd self:capability ipc_lock; io_uring_use(fastbootd) ### ### neverallow rules ### # Write permission is required to wipe userdata # until recovery supports vold. neverallow fastbootd { data_file_type }:file { no_x_file_perms };