# recovery console (used in recovery init.rc for /sbin/recovery) # Declare the domain unconditionally so we can always reference it # in neverallow rules. type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. recovery_only(` allow recovery rootfs:file entrypoint; permissive_or_unconfined(recovery) allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config }; # Set security contexts on files that are not known to the loaded policy. allow recovery self:capability2 mac_admin; # Mount filesystems. allow recovery rootfs:dir mounton; allow recovery fs_type:filesystem ~relabelto; allow recovery unlabeled:filesystem ~relabelto; allow recovery contextmount_type:filesystem relabelto; # Create and relabel files and directories under /system. allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto }; allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux # support to OTAs. However, that code has a bug. When an update occurs, # some directories are inappropriately labeled as exec_type. This is # only transient, and subsequent steps in the OTA script correct this # mistake. # Allow this behavior for now until we can fix the underlying bug. # b/15575013 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; # Write to /proc/sys/vm/drop_caches # TODO: create more specific label? allow recovery proc:file w_file_perms; # Required to e.g. wipe userdata/cache. allow recovery device:dir r_dir_perms; allow recovery block_device:dir r_dir_perms; allow recovery dev_type:blk_file rw_file_perms; # GUI allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; allow recovery graphics_device:chr_file rw_file_perms; allow recovery graphics_device:dir r_dir_perms; allow recovery input_device:dir r_dir_perms; allow recovery input_device:chr_file r_file_perms; allow recovery tty_device:chr_file rw_file_perms; # Create /tmp/recovery.log and execute /tmp/update_binary. allow recovery tmpfs:file { create_file_perms x_file_perms }; allow recovery tmpfs:dir create_dir_perms; # Manage files on /cache allow recovery cache_file:dir create_dir_perms; allow recovery cache_file:file create_file_perms; # Reboot the device allow recovery powerctl_prop:property_service set; unix_socket_connect(recovery, property, init) # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; wakelock_use(recovery) # This line seems suspect, as it should not really need to # set scheduling parameters for a kernel domain task. allow recovery kernel:process setsched; ')