549ccf77e3
This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
35 lines
1.1 KiB
Text
35 lines
1.1 KiB
Text
# uncrypt
|
|
type uncrypt, domain, domain_deprecated, mlstrustedsubject;
|
|
type uncrypt_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(uncrypt)
|
|
|
|
allow uncrypt self:capability dac_override;
|
|
|
|
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
|
r_dir_file(uncrypt, app_data_file)
|
|
|
|
userdebug_or_eng(`
|
|
# For debugging, allow /data/local/tmp access
|
|
r_dir_file(uncrypt, shell_data_file)
|
|
')
|
|
|
|
# Read /cache/recovery/command
|
|
# Read /cache/recovery/uncrypt_file
|
|
# Write to pipe file /cache/recovery/uncrypt_status
|
|
allow uncrypt cache_recovery_file:dir rw_dir_perms;
|
|
allow uncrypt cache_recovery_file:file create_file_perms;
|
|
allow uncrypt cache_recovery_file:fifo_file w_file_perms;
|
|
|
|
# Set a property to reboot the device.
|
|
set_prop(uncrypt, powerctl_prop)
|
|
|
|
# Raw writes to block device
|
|
allow uncrypt self:capability sys_rawio;
|
|
allow uncrypt block_device:blk_file w_file_perms;
|
|
auditallow uncrypt block_device:blk_file w_file_perms;
|
|
allow uncrypt misc_block_device:blk_file w_file_perms;
|
|
allow uncrypt block_device:dir r_dir_perms;
|
|
|
|
# Access userdata block device.
|
|
allow uncrypt userdata_block_device:blk_file w_file_perms;
|