Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 1 | # recovery console (used in recovery init.rc for /sbin/recovery) |
| 2 | type recovery, domain; |
| 3 | allow recovery rootfs:file entrypoint; |
| 4 | unconfined_domain(recovery) |
| 5 | relabelto_domain(recovery) |
| 6 | |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 7 | allow recovery self:capability2 mac_admin; |
| 8 | |
Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 9 | allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; |
| 10 | allow recovery unlabeled:filesystem mount; |
Stephen Smalley | b081cc1 | 2014-02-10 13:29:38 -0500 | [diff] [blame] | 11 | allow recovery fs_type:filesystem *; |
Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 12 | |
Stephen Smalley | 3f40d4f | 2014-02-11 14:40:14 -0500 | [diff] [blame] | 13 | # Required to e.g. wipe userdata/cache. |
| 14 | allow recovery dev_type:blk_file rw_file_perms; |
| 15 | |
Stephen Smalley | 6d10ca8 | 2014-01-13 09:45:45 -0500 | [diff] [blame] | 16 | allow recovery self:process execmem; |
Stephen Smalley | 9fe4e7b | 2014-01-13 15:32:11 -0500 | [diff] [blame] | 17 | allow recovery ashmem_device:chr_file execute; |
Stephen Smalley | 9a40702 | 2014-01-13 14:03:47 -0500 | [diff] [blame] | 18 | allow recovery tmpfs:file rx_file_perms; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 19 | |
| 20 | ## TODO: Investigate whether it is safe to remove these |
| 21 | allow recovery self:capability { sys_rawio mknod }; |
| 22 | auditallow recovery self:capability { sys_rawio mknod }; |