a03d761f19
Make sure we have all necessary rules to modify system_file and
exec_type.
Allow writing to /proc/sys/vm/drop_caches and other proc
files.
Addresses denials like:
avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file
recovery is still in permissive_or_unconfined(), so no rules are
being enforced.
Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
61 lines
2.2 KiB
Text
61 lines
2.2 KiB
Text
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
|
|
# Declare the domain unconditionally so we can always reference it
|
|
# in neverallow rules.
|
|
type recovery, domain;
|
|
|
|
# But the allow rules are only included in the recovery policy.
|
|
# Otherwise recovery is only allowed the domain rules.
|
|
recovery_only(`
|
|
allow recovery rootfs:file entrypoint;
|
|
permissive_or_unconfined(recovery)
|
|
|
|
allow recovery self:capability { chown dac_override fowner fsetid sys_admin };
|
|
|
|
# Set security contexts on files that are not known to the loaded policy.
|
|
allow recovery self:capability2 mac_admin;
|
|
|
|
# Mount filesystems.
|
|
allow recovery rootfs:dir mounton;
|
|
allow recovery fs_type:filesystem *;
|
|
allow recovery unlabeled:filesystem *;
|
|
|
|
# Create and relabel files and directories under /system.
|
|
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
# TODO: create more specific label?
|
|
allow recovery proc:file w_file_perms;
|
|
|
|
# Required to e.g. wipe userdata/cache.
|
|
allow recovery block_device:dir r_dir_perms;
|
|
allow recovery dev_type:blk_file rw_file_perms;
|
|
|
|
# GUI
|
|
allow recovery self:process execmem;
|
|
allow recovery ashmem_device:chr_file execute;
|
|
allow recovery graphics_device:chr_file rw_file_perms;
|
|
allow recovery graphics_device:dir r_dir_perms;
|
|
allow recovery input_device:dir r_dir_perms;
|
|
allow recovery input_device:chr_file r_file_perms;
|
|
|
|
# Create /tmp/recovery.log and execute /tmp/update_binary.
|
|
allow recovery tmpfs:file { create_file_perms x_file_perms };
|
|
allow recovery tmpfs:dir create_dir_perms;
|
|
|
|
# Manage files on /cache
|
|
allow recovery cache_file:dir create_dir_perms;
|
|
allow recovery cache_file:file create_file_perms;
|
|
|
|
# Reboot the device
|
|
allow recovery powerctl_prop:property_service set;
|
|
unix_socket_connect(recovery, property, init)
|
|
|
|
# Use setfscreatecon() to label files for OTA updates.
|
|
allow recovery self:process setfscreate;
|
|
|
|
wakelock_use(recovery)
|
|
allow recovery kernel:process setsched;
|
|
')
|