replicant-vendor_replicant/sepolicy/recovery.te

recovery_only(`

# Secure adb (setup_adbd)
allow adbd adb_keys_file:dir search;
allow recovery adb_keys_file:dir r_dir_perms;
allow recovery adb_keys_file:file r_file_perms;
allow recovery shell_prop:property_service set;

# Recovery dialogs
unix_socket_connect(recovery, vold, vold)
allow recovery tmpfs:sock_file create_file_perms;

# Read packages.xml
allow recovery system_data_file:file r_file_perms;

# Manage fstab and /adb_keys
allow recovery rootfs:file create_file_perms;
allow recovery rootfs:dir { write add_name };

# Read /data/media files and directories
allow recovery media_rw_data_file:dir r_dir_perms;
allow recovery media_rw_data_file:file r_file_perms;

# Control properties
allow recovery recovery_prop:property_service set;

# recursive rm for wipes... :(
allow recovery file_type:dir { rw_dir_perms rmdir };
allow recovery file_type:notdevfile_class_set { unlink getattr };
# wipe saves and restores the layout version
allow recovery install_data_file:file create_file_perms;
allow recovery system_data_file:file create;

')
sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e 2014-12-01 18:38:25 +00:00			recovery_only(`

cm: sepolicy: Add contexts for cm recovery * Allow setup of secure adb (setup_adbd) * minivold in recovery Change-Id: Id1243154f4016b59e54890404cadea46a2aad212 2014-11-26 21:26:14 +00:00			`# Secure adb (setup_adbd)`
			`allow adbd adb_keys_file:dir search;`
sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e 2014-12-01 18:38:25 +00:00			`allow recovery adb_keys_file:dir r_dir_perms;`
cm: sepolicy: Add contexts for cm recovery * Allow setup of secure adb (setup_adbd) * minivold in recovery Change-Id: Id1243154f4016b59e54890404cadea46a2aad212 2014-11-26 21:26:14 +00:00			`allow recovery adb_keys_file:file r_file_perms;`
			`allow recovery shell_prop:property_service set;`

			`# Recovery dialogs`
			`unix_socket_connect(recovery, vold, vold)`
			`allow recovery tmpfs:sock_file create_file_perms;`
sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e 2014-12-01 18:38:25 +00:00
			`# Read packages.xml`
			`allow recovery system_data_file:file r_file_perms;`

			`# Manage fstab and /adb_keys`
			`allow recovery rootfs:file create_file_perms;`
			`allow recovery rootfs:dir { write add_name };`

sepolicy: allow recovery read access to /data/media/ files and dirs Change-Id: I41173d72e86f9cf4d79f7c46166eeb71dc19d2f4 2014-12-14 16:36:10 +00:00			`# Read /data/media files and directories`
			`allow recovery media_rw_data_file:dir r_dir_perms;`
			`allow recovery media_rw_data_file:file r_file_perms;`

sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e 2014-12-01 18:38:25 +00:00			`# Control properties`
			`allow recovery recovery_prop:property_service set;`

selinux: Allow recovery to do recursive deletes Our partial wipes (preserving media) require that recovery can rmdir dirs and getattr files Change-Id: I206f74131f9a37c5887ef30062adeabb58beaa3a 2015-01-03 04:23:08 +00:00			`# recursive rm for wipes... :(`
			`allow recovery file_type:dir { rw_dir_perms rmdir };`
			`allow recovery file_type:notdevfile_class_set { unlink getattr };`
			`# wipe saves and restores the layout version`
			`allow recovery install_data_file:file create_file_perms;`
			`allow recovery system_data_file:file create;`

sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e 2014-12-01 18:38:25 +00:00			`')`