Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0fd3ed3b8ba125ccaef8769a2acfff7d1fd71ebc^! / . / public / fastbootd.te
commit0fd3ed3b8ba125ccaef8769a2acfff7d1fd71ebc[log] [tgz]
authorJerry Zhang <zhangjerry@google.com>Tue May 29 10:54:16 2018 -0700
committerHridya Valsaraju <hridya@google.com>Tue Aug 14 20:21:36 2018 +0000
treedac823556f434207da0c96f64df5a50a5495c288
parent7ab1450d8c75470cfe4b6698da759cd2c4cf90a2 [diff] [blame]
Add sepolicy for fastbootd

Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4

diff --git a/public/fastbootd.te b/public/fastbootd.te
new file mode 100644
index 0000000..82ae47b
--- /dev/null
+++ b/public/fastbootd.te

@@ -0,0 +1,59 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+  # fastbootd can only use HALs in passthrough mode
+  passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+  # Access /dev/usb-ffs/fastbootd/ep0
+  allow fastbootd functionfs:dir search;
+  allow fastbootd functionfs:file rw_file_perms;
+
+  # Log to serial
+  allow fastbootd kmsg_device:chr_file { open write };
+
+  # battery info
+  allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+  allow fastbootd device:dir r_dir_perms;
+
+  # Reboot the device
+  set_prop(fastbootd, powerctl_prop)
+
+  # Read serial number of the device from system properties
+  get_prop(fastbootd, serialno_prop)
+
+  # Set sys.usb.ffs.ready.
+  set_prop(fastbootd, ffs_prop)
+  set_prop(fastbootd, exported_ffs_prop)
+
+  unix_socket_connect(fastbootd, recovery, recovery)
+
+  # Required for flashing
+  allow fastbootd dm_device:chr_file rw_file_perms;
+  allow fastbootd dm_device:blk_file rw_file_perms;
+
+  allow fastbootd system_block_device:blk_file rw_file_perms;
+  allow fastbootd boot_block_device:blk_file rw_file_perms;
+
+  allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+  allow fastbootd proc_cmdline:file r_file_perms;
+  allow fastbootd rootfs:dir r_dir_perms;
+  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+   data_file_type
+}:file { no_x_file_perms };