recovery_only(`

# file system operations for sdcard
permissive fsck_untrusted;

# Secure adb (setup_adbd)
allow adbd adb_keys_file:dir search;
allow recovery adb_keys_file:dir r_dir_perms;
allow recovery adb_keys_file:file r_file_perms;
allow recovery shell_prop:property_service set;

# Recovery dialogs
unix_socket_connect(recovery, vold, vold)
allow recovery tmpfs:sock_file create_file_perms;

# Read packages.xml
allow recovery system_data_file:file r_file_perms;

# Manage fstab and /adb_keys
allow recovery rootfs:file create_file_perms;
allow recovery rootfs:file link;
allow recovery rootfs:dir { write create rmdir add_name remove_name };

# Read storage files and directories
allow recovery tmpfs:dir mounton;
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;
allow recovery vfat:dir r_dir_perms;
allow recovery vfat:file r_file_perms;
allow recovery sdcard_posix:dir r_dir_perms;
allow recovery sdcard_posix:file r_file_perms;

# Control properties
allow recovery recovery_prop:property_service set;

# Set property sys.usb.ffs.ready
allow recovery ffs_prop:property_service set;

# recursive rm for wipes... :(
allow app_data_file self:filesystem associate;
allow recovery app_data_file:file { read open create write };
allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

allow recovery file_type:dir { rw_dir_perms rmdir };
allow recovery file_type:notdevfile_class_set { unlink getattr };
# wipe saves and restores the layout version
allow recovery install_data_file:file create_file_perms;
allow recovery system_data_file:file create_file_perms;

# /cache/recovery things: command and logs
allow recovery recovery_cache_file:dir create_dir_perms;
allow recovery recovery_cache_file:file create_file_perms;

# set system properties for various things
allow recovery system_prop:property_service set;
')