blob: e167a5e874f345abea66d6bbcfabe6ea002203c7 [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +09001# fastbootd (used in recovery init.rc for /sbin/fastbootd)
2
3# Declare the domain unconditionally so we can always reference it
4# in neverallow rules.
5type fastbootd, domain;
6
7# But the allow rules are only included in the recovery policy.
8# Otherwise fastbootd is only allowed the domain rules.
9recovery_only(`
10 # fastbootd can only use HALs in passthrough mode
11 passthrough_hal_client_domain(fastbootd, hal_bootctl)
12
13 # Access /dev/usb-ffs/fastbootd/ep0
14 allow fastbootd functionfs:dir search;
15 allow fastbootd functionfs:file rw_file_perms;
16
17 allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
18 # Log to serial
19 allow fastbootd kmsg_device:chr_file { open getattr write };
20
21 # battery info
22 allow fastbootd sysfs_batteryinfo:file r_file_perms;
23
24 allow fastbootd device:dir r_dir_perms;
25
26 # For dev/block/by-name dir
27 allow fastbootd block_device:dir r_dir_perms;
28
29 # Needed for DM_DEV_CREATE ioctl call
30 allow fastbootd self:capability sys_admin;
31
32 unix_socket_connect(fastbootd, recovery, recovery)
33
34 # Required for flashing
35 allow fastbootd dm_device:chr_file rw_file_perms;
36 allow fastbootd dm_device:blk_file rw_file_perms;
37
38 allow fastbootd cache_block_device:blk_file rw_file_perms;
39 allow fastbootd super_block_device_type:blk_file rw_file_perms;
40 allow fastbootd {
41 boot_block_device
42 metadata_block_device
43 system_block_device
44 userdata_block_device
45 }:blk_file { w_file_perms getattr ioctl };
46
47 # For disabling/wiping GSI, and for modifying/deleting files created via
48 # libfiemap.
49 allow fastbootd metadata_block_device:blk_file r_file_perms;
50 allow fastbootd {rootfs tmpfs}:dir mounton;
51 allow fastbootd metadata_file:dir { search getattr mounton };
52 allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
53 allow fastbootd gsi_metadata_file_type:file create_file_perms;
54
55 allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
56
57 allowxperm fastbootd {
58 metadata_block_device
59 userdata_block_device
60 dm_device
61 cache_block_device
62 }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
63
64 allow fastbootd misc_block_device:blk_file rw_file_perms;
65
66 allow fastbootd proc_cmdline:file r_file_perms;
67 allow fastbootd rootfs:dir r_dir_perms;
68
69 # Needed to read fstab node from device tree.
70 allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
71 allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
72
73 # Needed because libdm reads sysfs to validate when a dm path is ready.
74 r_dir_file(fastbootd, sysfs_dm)
75
76 # Needed for realpath() call to resolve symlinks.
77 allow fastbootd block_device:dir getattr;
78 userdebug_or_eng(`
79 # Refined manipulation of /mnt/scratch, without these perms resorts
80 # to deleting scratch partition when partition(s) are flashed.
81 allow fastbootd self:process setfscreate;
82 allow fastbootd cache_file:dir search;
83 allow fastbootd proc_filesystems:file { getattr open read };
84 allow fastbootd self:capability sys_rawio;
85 dontaudit fastbootd kernel:system module_request;
86 allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
87 allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
88 allow fastbootd {
89 system_file_type
90 unlabeled
91 vendor_file_type
92 }:dir { remove_name rmdir search write };
93 allow fastbootd {
94 overlayfs_file
95 system_file_type
96 unlabeled
97 vendor_file_type
98 }:{ file lnk_file } unlink;
99 allow fastbootd tmpfs:dir rw_dir_perms;
100 # Fetch vendor_boot partition
101 allow fastbootd boot_block_device:blk_file r_file_perms;
102 ')
103
104 # Allow using libfiemap/gsid directly (no binder in recovery).
105 allow fastbootd gsi_metadata_file_type:dir search;
106 allow fastbootd ota_metadata_file:dir rw_dir_perms;
107 allow fastbootd ota_metadata_file:file create_file_perms;
108')
109
110###
111### neverallow rules
112###
113
114# Write permission is required to wipe userdata
115# until recovery supports vold.
116neverallow fastbootd {
117 data_file_type
118}:file { no_x_file_perms };