Accueil Explorer Aide
S'inscrire Connexion
drachfly
/
android10
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Branche: master
Branches Tags
android10
/
system
/
sepolicy
/
public
/
fastbootd.te

fastbootd.te 3.7 KB
Lien permanent Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. # fastbootd (used in recovery init.rc for /sbin/fastbootd)
    2. 

  2. 

  3. # Declare the domain unconditionally so we can always reference it
    4. 

  4. # in neverallow rules.
    5. 

  5. type fastbootd, domain;
    6. 

  6. 

  7. # But the allow rules are only included in the recovery policy.
    8. 

  8. # Otherwise fastbootd is only allowed the domain rules.
    9. 

  9. recovery_only(`
    10. 

  10.   # fastbootd can only use HALs in passthrough mode
    11. 

  11.   passthrough_hal_client_domain(fastbootd, hal_bootctl)
    12. 

  12. 

  13.   # Access /dev/usb-ffs/fastbootd/ep0
    14. 

  14.   allow fastbootd functionfs:dir search;
    15. 

  15.   allow fastbootd functionfs:file rw_file_perms;
    16. 

  16. 

  17.   allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
    18. 

  18.   # Log to serial
    19. 

  19.   allow fastbootd kmsg_device:chr_file { open getattr write };
    20. 

  20. 

  21.   # battery info
    22. 

  22.   allow fastbootd sysfs_batteryinfo:file r_file_perms;
    23. 

  23. 

  24.   allow fastbootd device:dir r_dir_perms;
    25. 

  25. 

  26.   # Reboot the device
    27. 

  27.   set_prop(fastbootd, powerctl_prop)
    28. 

  28. 

  29.   # Read serial number of the device from system properties
    30. 

  30.   get_prop(fastbootd, serialno_prop)
    31. 

  31. 

  32.   # For dev/block/by-name dir
    33. 

  33.   allow fastbootd block_device:dir r_dir_perms;
    34. 

  34. 

  35.   # Needed for DM_DEV_CREATE ioctl call
    36. 

  36.   allow fastbootd self:capability sys_admin;
    37. 

  37. 

  38.   # Set sys.usb.ffs.ready.
    39. 

  39.   set_prop(fastbootd, ffs_prop)
    40. 

  40.   set_prop(fastbootd, exported_ffs_prop)
    41. 

  41. 

  42.   unix_socket_connect(fastbootd, recovery, recovery)
    43. 

  43. 

  44.   # Required for flashing
    45. 

  45.   allow fastbootd dm_device:chr_file rw_file_perms;
    46. 

  46.   allow fastbootd dm_device:blk_file rw_file_perms;
    47. 

  47. 

  48.   allow fastbootd super_block_device_type:blk_file rw_file_perms;
    49. 

  49.   allow fastbootd {
    50. 

  50.     boot_block_device
    51. 

  51.     metadata_block_device
    52. 

  52.     system_block_device
    53. 

  53.     userdata_block_device
    54. 

  54.   }:blk_file { w_file_perms getattr ioctl };
    55. 

  55. 

  56.   # For disabling/wiping GSI.
    57. 

  57.   allow fastbootd metadata_block_device:blk_file r_file_perms;
    58. 

  58.   allow fastbootd {rootfs tmpfs}:dir mounton;
    59. 

  59.   allow fastbootd metadata_file:dir search;
    60. 

  60.   allow fastbootd gsi_metadata_file:dir r_dir_perms;
    61. 

  61.   allow fastbootd gsi_metadata_file:file rw_file_perms;
    62. 

  62. 

  63.   allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
    64. 

  64. 

  65.   allowxperm fastbootd {
    66. 

  66.     metadata_block_device
    67. 

  67.     userdata_block_device
    68. 

  68.     dm_device
    69. 

  69.   }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
    70. 

  70. 

  71.   allow fastbootd misc_block_device:blk_file rw_file_perms;
    72. 

  72. 

  73.   allow fastbootd proc_cmdline:file r_file_perms;
    74. 

  74.   allow fastbootd rootfs:dir r_dir_perms;
    75. 

  75. 

  76.   # Needed to read fstab node from device tree.
    77. 

  77.   allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
    78. 

  78.   allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
    79. 

  79. 

  80.   # Needed for realpath() call to resolve symlinks.
    81. 

  81.   allow fastbootd block_device:dir getattr;
    82. 

  82.   userdebug_or_eng(`
    83. 

  83.     # Refined manipulation of /mnt/scratch, without these perms resorts
    84. 

  84.     # to deleting scratch partition when partition(s) are flashed.
    85. 

  85.     allow fastbootd self:process setfscreate;
    86. 

  86.     allow fastbootd cache_file:dir search;
    87. 

  87.     allow fastbootd proc_filesystems:file { getattr open read };
    88. 

  88.     allow fastbootd self:capability sys_rawio;
    89. 

  89.     dontaudit fastbootd kernel:system module_request;
    90. 

  90.     allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
    91. 

  91.     allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
    92. 

  92.     allow fastbootd {
    93. 

  93.       system_file_type
    94. 

  94.       unlabeled
    95. 

  95.       vendor_file_type
    96. 

  96.     }:dir { remove_name rmdir search write };
    97. 

  97.     allow fastbootd {
    98. 

  98.       overlayfs_file
    99. 

  99.       system_file_type
    100. 

  100.       unlabeled
    101. 

  101.       vendor_file_type
    102. 

  102.     }:{ file lnk_file } unlink;
    103. 

  103.     allow fastbootd tmpfs:dir rw_dir_perms;
    104. 

  104.     allow fastbootd labeledfs:filesystem { mount unmount };
    105. 

  105.     get_prop(fastbootd, persistent_properties_ready_prop)
    106. 

  106.   ')
    107. 

  107. ')
    108. 

  108. 

  109. ###
    110. 

  110. ### neverallow rules
    111. 

  111. ###
    112. 

  112. 

  113. # Write permission is required to wipe userdata
    114. 

  114. # until recovery supports vold.
    115. 

  115. neverallow fastbootd {
    116. 

  116.    data_file_type
    117. 

  117. }:file { no_x_file_perms };
    118.