aboutsummaryrefslogtreecommitdiffstats
path: root/sepolicy/recovery.te
blob: 5bd544f21de66f57da57e7996a11f8e2c01c71d4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
recovery_only(`

# file system operations for sdcard
permissive fsck_untrusted;

# Secure adb (setup_adbd)
allow adbd adb_keys_file:dir search;
allow recovery adb_keys_file:dir r_dir_perms;
allow recovery adb_keys_file:file r_file_perms;
allow recovery shell_prop:property_service set;

# Recovery dialogs
unix_socket_connect(recovery, vold, vold)
allow recovery tmpfs:sock_file create_file_perms;

# Read packages.xml
allow recovery system_data_file:file r_file_perms;

# Manage fstab and /adb_keys
allow recovery rootfs:file create_file_perms;
allow recovery rootfs:file link;
allow recovery rootfs:dir { write create rmdir add_name remove_name };

# Read storage files and directories
allow recovery tmpfs:dir mounton;
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;
allow recovery vfat:dir r_dir_perms;
allow recovery vfat:file r_file_perms;
allow recovery sdcard_posix:dir r_dir_perms;
allow recovery sdcard_posix:file r_file_perms;

# Control properties
allow recovery recovery_prop:property_service set;

# Set property sys.usb.ffs.ready
allow recovery ffs_prop:property_service set;

# recursive rm for wipes... :(
allow app_data_file self:filesystem associate;
allow recovery app_data_file:file { read open create write };
allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

allow recovery file_type:dir { rw_dir_perms rmdir };
allow recovery file_type:notdevfile_class_set { unlink getattr };
# wipe saves and restores the layout version
allow recovery install_data_file:file create_file_perms;
allow recovery system_data_file:file create_file_perms;

# /cache/recovery things: command and logs
allow recovery recovery_cache_file:dir create_dir_perms;
allow recovery recovery_cache_file:file create_file_perms;

# set system properties for various things
allow recovery system_prop:property_service set;
')