| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | typeattribute recovery coredomain; |
| 2 | |
| 3 | # The allow rules are only included in the recovery policy. |
| 4 | # Otherwise recovery is only allowed the domain rules. |
| 5 | recovery_only(` |
| 6 | # Reboot the device |
| 7 | set_prop(recovery, powerctl_prop) |
| 8 | |
| 9 | # Read serial number of the device from system properties |
| 10 | get_prop(recovery, serialno_prop) |
| 11 | |
| 12 | # Set sys.usb.ffs.ready when starting minadbd for sideload. |
| 13 | get_prop(recovery, ffs_config_prop) |
| 14 | set_prop(recovery, ffs_control_prop) |
| 15 | |
| 16 | # Set sys.usb.config when switching into fastboot. |
| 17 | set_prop(recovery, usb_control_prop) |
| 18 | set_prop(recovery, usb_prop) |
| 19 | |
| 20 | # Read ro.boot.bootreason |
| 21 | get_prop(recovery, bootloader_boot_reason_prop) |
| 22 | |
| 23 | # Read storage properties (for correctly formatting filesystems) |
| 24 | get_prop(recovery, storage_config_prop) |
| 25 | |
| 26 | set_prop(recovery, gsid_prop) |
| 27 | |
| 28 | # These are needed to allow recovery to manage network |
| 29 | allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; |
| 30 | allow recovery self:global_capability_class_set net_admin; |
| 31 | allow recovery self:tcp_socket { create ioctl }; |
| 32 | allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; |
| 33 | |
| 34 | # Start snapuserd for merging VABC updates |
| 35 | set_prop(recovery, ctl_snapuserd_prop) |
| 36 | |
| 37 | # Needed to communicate with snapuserd to complete merges. |
| 38 | allow recovery snapuserd_socket:sock_file write; |
| 39 | allow recovery snapuserd:unix_stream_socket connectto; |
| 40 | allow recovery dm_user_device:dir r_dir_perms; |
| 41 | |
| 42 | # Set fastbootd protocol property |
| 43 | set_prop(recovery, fastbootd_protocol_prop) |
| 44 | |
| 45 | get_prop(recovery, recovery_config_prop) |
| 46 | ') |