-
Felipe Leme authored
This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
549ccf77
uncrypt.te 1.10 KiB
# uncrypt
type uncrypt, domain, domain_deprecated, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
allow uncrypt self:capability dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
allow uncrypt cache_recovery_file:fifo_file w_file_perms;
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
allow uncrypt block_device:blk_file w_file_perms;
auditallow uncrypt block_device:blk_file w_file_perms;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;