5fad3d98de
Currently, recovery is allowed write access to the following three
file labels:
* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)
system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.
The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.
The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.
Allow unlabeled symbolic link modifications.
(cherrypicked from commit 683ac49d9d)
Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
100 lines
4 KiB
Text
100 lines
4 KiB
Text
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
|
|
# Declare the domain unconditionally so we can always reference it
|
|
# in neverallow rules.
|
|
type recovery, domain;
|
|
|
|
# But the allow rules are only included in the recovery policy.
|
|
# Otherwise recovery is only allowed the domain rules.
|
|
recovery_only(`
|
|
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
|
|
|
# Set security contexts on files that are not known to the loaded policy.
|
|
allow recovery self:capability2 mac_admin;
|
|
|
|
# Run helpers from / or /system without changing domain.
|
|
allow recovery rootfs:file execute_no_trans;
|
|
allow recovery system_file:file execute_no_trans;
|
|
|
|
# Mount filesystems.
|
|
allow recovery rootfs:dir mounton;
|
|
allow recovery fs_type:filesystem ~relabelto;
|
|
allow recovery unlabeled:filesystem ~relabelto;
|
|
allow recovery contextmount_type:filesystem relabelto;
|
|
|
|
# Create and relabel files and directories under /system.
|
|
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
# We may be asked to set an SELinux label for a type not known to the
|
|
# currently loaded policy. Allow it.
|
|
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
|
|
# support to OTAs. However, that code has a bug. When an update occurs,
|
|
# some directories are inappropriately labeled as exec_type. This is
|
|
# only transient, and subsequent steps in the OTA script correct this
|
|
# mistake.
|
|
# Allow this behavior for now until we can fix the underlying bug.
|
|
# b/15575013
|
|
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
|
|
auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
# TODO: create more specific label?
|
|
allow recovery proc:file w_file_perms;
|
|
|
|
# Write to /sys/class/android_usb/android0/enable.
|
|
# TODO: create more specific label?
|
|
allow recovery sysfs:file w_file_perms;
|
|
|
|
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
|
|
allow recovery adb_device:chr_file rw_file_perms;
|
|
allow recovery functionfs:dir search;
|
|
allow recovery functionfs:file rw_file_perms;
|
|
|
|
# Required to e.g. wipe userdata/cache.
|
|
allow recovery device:dir r_dir_perms;
|
|
allow recovery block_device:dir r_dir_perms;
|
|
allow recovery dev_type:blk_file rw_file_perms;
|
|
|
|
# GUI
|
|
allow recovery self:process execmem;
|
|
allow recovery ashmem_device:chr_file execute;
|
|
allow recovery graphics_device:chr_file rw_file_perms;
|
|
allow recovery graphics_device:dir r_dir_perms;
|
|
allow recovery input_device:dir r_dir_perms;
|
|
allow recovery input_device:chr_file r_file_perms;
|
|
allow recovery tty_device:chr_file rw_file_perms;
|
|
|
|
# Create /tmp/recovery.log and execute /tmp/update_binary.
|
|
allow recovery tmpfs:file { create_file_perms x_file_perms };
|
|
allow recovery tmpfs:dir create_dir_perms;
|
|
|
|
# Manage files on /cache
|
|
allow recovery cache_file:dir create_dir_perms;
|
|
allow recovery cache_file:file create_file_perms;
|
|
|
|
# Reboot the device
|
|
allow recovery powerctl_prop:property_service set;
|
|
unix_socket_connect(recovery, property, init)
|
|
|
|
# Start/stop adbd via ctl.start adbd
|
|
allow recovery ctl_default_prop:property_service set;
|
|
|
|
# Use setfscreatecon() to label files for OTA updates.
|
|
allow recovery self:process setfscreate;
|
|
|
|
# Allow recovery to create a fuse filesystem, and read files from it.
|
|
allow recovery fuse_device:chr_file rw_file_perms;
|
|
allow recovery fuse:dir r_dir_perms;
|
|
allow recovery fuse:file r_file_perms;
|
|
|
|
wakelock_use(recovery)
|
|
|
|
# This line seems suspect, as it should not really need to
|
|
# set scheduling parameters for a kernel domain task.
|
|
allow recovery kernel:process setsched;
|
|
')
|