platform_system_sepolicy/public/recovery.te
Alex Klyubin 9d8e3ab6f1 Fix warning in recovery.te
SELinux policy compiler complained about a quote inside the
recovery_only section of recovery.te. This section's contents are
inside quotes and thus can't contain quotes.

Test: mmm system/sepolicy produces no warnings
Bug: 33700679
Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
2016-12-27 12:38:07 -08:00

128 lines
4.8 KiB
Text

# recovery console (used in recovery init.rc for /sbin/recovery)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain, domain_deprecated;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
typeattribute recovery update_engine_common, boot_control_hal;
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
# only transient, and subsequent steps in the OTA script correct this
# mistake. New devices are moving to block based OTAs, so this is not
# worth fixing. b/15575013
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
allow recovery sysfs_batteryinfo:file r_file_perms;
allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
# Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
allow recovery tty_device:chr_file rw_file_perms;
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
# Manage files on /cache and /cache/recovery
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
# Read files on /oem.
r_dir_file(recovery, oemfs);
# Reboot the device
set_prop(recovery, powerctl_prop)
# Start/stop adbd via ctl.start adbd
set_prop(recovery, ctl_default_prop)
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
# Allow recovery to create a fuse filesystem, and read files from it.
allow recovery fuse_device:chr_file rw_file_perms;
allow recovery fuse:dir r_dir_perms;
allow recovery fuse:file r_file_perms;
wakelock_use(recovery)
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
')
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
neverallow recovery data_file_type:dir no_w_dir_perms;