platform_system_sepolicy/private/fastbootd.te

typeattribute fastbootd coredomain;

# The allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
recovery_only(`
  # Reboot the device
  set_prop(fastbootd, powerctl_prop)

  # Read serial number of the device from system properties
  get_prop(fastbootd, serialno_prop)

  # Set sys.usb.ffs.ready.
  get_prop(fastbootd, ffs_config_prop)
  set_prop(fastbootd, ffs_control_prop)

  userdebug_or_eng(`
    get_prop(fastbootd, persistent_properties_ready_prop)
  ')

  set_prop(fastbootd, gsid_prop)

  # Determine allocation scheme (whether B partitions needs to be
  # at the second half of super.
  get_prop(fastbootd, virtual_ab_prop)
  get_prop(fastbootd, snapuserd_prop)

  # Needed for TCP protocol
  allow fastbootd node:tcp_socket node_bind;
  allow fastbootd port:tcp_socket name_bind;
  allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };

  # Start snapuserd for merging VABC updates
  set_prop(fastbootd, ctl_snapuserd_prop)

  # Needed to communicate with snapuserd to complete merges.
  allow fastbootd snapuserd_socket:sock_file write;
  allow fastbootd snapuserd:unix_stream_socket connectto;
  allow fastbootd dm_user_device:dir r_dir_perms;

  # Get fastbootd protocol property
  get_prop(fastbootd, fastbootd_protocol_prop)

  # Mount /metadata to interact with Virtual A/B snapshots.
  allow fastbootd labeledfs:filesystem { mount unmount };
  set_prop(fastbootd, boottime_prop)

  # Needed for reading boot properties.
  allow fastbootd proc_bootconfig:file r_file_perms;
  # Let this domain use the hal fastboot service
  binder_use(fastbootd)
  hal_client_domain(fastbootd, hal_fastboot)

  # fastbootd can only use HALs in passthrough mode
  passthrough_hal_client_domain(fastbootd, hal_bootctl)

  # fastbootd can use AIDL HALs in binder mode
  binder_use(fastbootd)
  hal_client_domain(fastbootd, hal_health)
  hal_client_domain(fastbootd, hal_fastboot)

  # Access /dev/usb-ffs/fastbootd/ep0
  allow fastbootd functionfs:dir search;
  allow fastbootd functionfs:file rw_file_perms;

  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
  # Log to serial
  allow fastbootd kmsg_device:chr_file { open getattr write };

  # battery info
  allow fastbootd sysfs_batteryinfo:file r_file_perms;

  allow fastbootd device:dir r_dir_perms;

  # For dev/block/by-name dir
  allow fastbootd block_device:dir r_dir_perms;

  # Needed for DM_DEV_CREATE ioctl call
  allow fastbootd self:capability sys_admin;

  unix_socket_connect(fastbootd, recovery, recovery)

  # Required for flashing
  allow fastbootd dm_device:chr_file rw_file_perms;
  allow fastbootd dm_device:blk_file rw_file_perms;

  allow fastbootd cache_block_device:blk_file rw_file_perms;
  allow fastbootd super_block_device_type:blk_file rw_file_perms;
  allow fastbootd {
    boot_block_device
    metadata_block_device
    system_block_device
    userdata_block_device
  }:blk_file { w_file_perms getattr ioctl };

  # For disabling/wiping GSI, and for modifying/deleting files created via
  # libfiemap.
  allow fastbootd metadata_block_device:blk_file r_file_perms;
  allow fastbootd {rootfs tmpfs}:dir mounton;
  allow fastbootd metadata_file:dir { search getattr mounton };
  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
  allow fastbootd gsi_metadata_file_type:file create_file_perms;

  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };

  allowxperm fastbootd {
    metadata_block_device
    userdata_block_device
    dm_device
    cache_block_device
  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };

  allow fastbootd misc_block_device:blk_file rw_file_perms;

  allow fastbootd proc_cmdline:file r_file_perms;
  allow fastbootd rootfs:dir r_dir_perms;

  # Needed to read fstab node from device tree.
  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;

  # Needed because libdm reads sysfs to validate when a dm path is ready.
  r_dir_file(fastbootd, sysfs_dm)

  # Needed for realpath() call to resolve symlinks.
  allow fastbootd block_device:dir getattr;
  userdebug_or_eng(`
    # Refined manipulation of /mnt/scratch, without these perms resorts
    # to deleting scratch partition when partition(s) are flashed.
    allow fastbootd self:process setfscreate;
    allow fastbootd cache_file:dir search;
    allow fastbootd proc_filesystems:file { getattr open read };
    allow fastbootd self:capability sys_rawio;
    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
    allow fastbootd {
      system_file_type
      unlabeled
      vendor_file_type
    }:dir { remove_name rmdir search write };
    allow fastbootd {
      overlayfs_file
      system_file_type
      unlabeled
      vendor_file_type
    }:{ file lnk_file } unlink;
    allow fastbootd tmpfs:dir rw_dir_perms;
    # Fetch vendor_boot partition
    allow fastbootd boot_block_device:blk_file r_file_perms;

    # popen(/system/bin/dmesg) and associated permissions. We only allow this
    # on unlocked devices running userdebug builds.
    allow fastbootd rootfs:file execute_no_trans;
    allow fastbootd system_file:file execute_no_trans;
    allow fastbootd kmsg_device:chr_file read;
    allow fastbootd kernel:system syslog_read;
  ')

  # Allow using libfiemap/gsid directly (no binder in recovery).
  allow fastbootd gsi_metadata_file_type:dir search;
  allow fastbootd ota_metadata_file:dir rw_dir_perms;
  allow fastbootd ota_metadata_file:file create_file_perms;
')

# This capability allows fastbootd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
io_uring_use(fastbootd)

###
### neverallow rules
###

# Write permission is required to wipe userdata
# until recovery supports vold.
neverallow fastbootd {
   data_file_type
}:file { no_x_file_perms };