176 lines
7.7 KiB
Plaintext
Executable File
176 lines
7.7 KiB
Plaintext
Executable File
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
|
|
# special factory reset & backup/restore needs permissive mode
|
|
# permissive recovery;
|
|
|
|
# Date : WK14.38
|
|
# Operation : Migration
|
|
# Purpose : for recovery operation
|
|
allow recovery misc_device:chr_file *;
|
|
allow recovery platformblk_device:dir *;
|
|
allow recovery platformblk_device:blk_file *;
|
|
allow recovery vfat:dir *;
|
|
allow recovery vfat:file ~{ execute entrypoint };
|
|
allow recovery vfat:lnk_file *;
|
|
allow recovery misc_sd_device:chr_file *;
|
|
|
|
# Date : WK14.39
|
|
# Operation : Migration
|
|
# Purpose : for CIP project access /custom partition
|
|
allow recovery custom_file:dir *;
|
|
allow recovery custom_file:file ~{ execute entrypoint };
|
|
allow recovery custom_file:lnk_file *;
|
|
allow recovery rootfs:dir *;
|
|
|
|
# Date : WK14.41
|
|
# Operation : Migration
|
|
# Purpose : Differential update
|
|
allow recovery bootimg_device:chr_file *;
|
|
allow recovery recovery_device:chr_file *;
|
|
allow recovery logo_device:chr_file *;
|
|
allow recovery preloader_device:chr_file *;
|
|
allow recovery uboot_device:chr_file *;
|
|
allow recovery init:dir *;
|
|
allow recovery init:file ~{ execute entrypoint };
|
|
allow recovery init:lnk_file *;
|
|
allow recovery kernel:dir *;
|
|
allow recovery kernel:file ~{ execute entrypoint };
|
|
allow recovery kernel:lnk_file *;
|
|
|
|
|
|
# Date : WK14.41
|
|
# Operation : Migration
|
|
# Purpose : Block full update
|
|
allow recovery healthd:dir *;
|
|
allow recovery healthd:file ~{ execute entrypoint };
|
|
allow recovery healthd:lnk_file *;
|
|
dontaudit recovery self:capability sys_ptrace;
|
|
allow recovery ueventd:dir *;
|
|
allow recovery ueventd:file ~{ execute entrypoint };
|
|
allow recovery ueventd:lnk_file *;
|
|
|
|
# Date : WK14.42
|
|
# Operation : Migration
|
|
# Purpose : for sepcial factory reset
|
|
allow recovery system_data_file:dir *;
|
|
allow recovery system_data_file:fifo_file *;
|
|
allow recovery system_data_file:file ~{ execute entrypoint };
|
|
allow recovery system_data_file:lnk_file *;
|
|
allow recovery system_data_file:sock_file *;
|
|
allow recovery apk_data_file:dir *;
|
|
allow recovery apk_data_file:file ~{ execute entrypoint };
|
|
allow recovery apk_data_file:lnk_file *;
|
|
|
|
userdebug_or_eng(`
|
|
allow recovery su:dir *;
|
|
allow recovery su:file *;
|
|
allow recovery su:lnk_file *;
|
|
')
|
|
|
|
# Date : WK14.43
|
|
# Operation : Migration
|
|
# Purpose : JB to L differential OTA
|
|
#allow recovery unlabeled:lnk_file *;
|
|
|
|
# Date : WK14.45
|
|
# Operation : SQC
|
|
# Purpose : partition size changed
|
|
allow recovery pmt_device:chr_file *;
|
|
allow recovery tee_part_device:chr_file *;
|
|
|
|
# Date : WK14.45
|
|
# Operation : Migration
|
|
# Purpose : KK->L->L legacy secure OTA
|
|
allow recovery proc_sysrq:file { write open };
|
|
allow recovery sec_device:chr_file { read ioctl open };
|
|
allow recovery sec_ro_device:chr_file { read open };
|
|
allow recovery seccfg_device:chr_file { read open };
|
|
allow recovery self:capability sys_boot;
|
|
|
|
# Date : WK14.46
|
|
# Operation : Migration
|
|
# Purpose : FOTA upgrade
|
|
allow recovery app_data_file:dir { write create add_name };
|
|
allow recovery app_data_file:dir { read open };
|
|
allow recovery app_data_file:file { read write create open };
|
|
allow recovery mobicore_data_file:dir { write remove_name search add_name };
|
|
allow recovery mobicore_data_file:file { rename setattr read create write getattr unlink open };
|
|
allow recovery mobicore_data_file:file { relabelfrom relabelto };
|
|
|
|
# Date : WK14.47
|
|
# Operation : Migration
|
|
# Purpose : Root Integrity Check
|
|
allow recovery md_ctrl:file { read getattr open };
|
|
allow recovery mobicore_data_file:dir { read open };
|
|
|
|
# add for adups FOTA start
|
|
allow recovery media_rw_data_file:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery media_rw_data_file:file { read getattr open unlink };
|
|
allow recovery media_rw_data_file:dir search;
|
|
allow recovery media_rw_data_file:dir read;
|
|
allow recovery media_rw_data_file:dir open;
|
|
allow recovery media_rw_data_file:file { read getattr open };
|
|
allow recovery rootfs:dir { add_name create };
|
|
allow recovery rootfs:dir write;
|
|
|
|
allow recovery system_data_file:dir { write mounton create rmdir remove_name add_name open read write getattr search};
|
|
allow recovery system_data_file:file { create write unlink getattr };
|
|
|
|
allow recovery { apk_data_file adb_keys_file keychain_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { apk_data_file adb_keys_file keychain_data_file }:file { getattr unlink };
|
|
|
|
allow recovery keystore_data_file:dir { open read getattr search };
|
|
allow recovery keystore_data_file:file { getattr };
|
|
|
|
allow recovery { shell_data_file bluetooth_data_file net_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { shell_data_file bluetooth_data_file net_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { apk_private_data_file vpn_data_file zoneinfo_data_file shared_relro_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { apk_private_data_file vpn_data_file zoneinfo_data_file shared_relro_file }:file { getattr unlink };
|
|
|
|
allow recovery { adb_data_file dhcp_data_file misc_user_data_file systemkeys_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { adb_data_file dhcp_data_file misc_user_data_file systemkeys_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { wifi_data_file camera_data_file media_data_file wpa_socket }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { wifi_data_file camera_data_file media_data_file wpa_socket }:file { getattr unlink };
|
|
|
|
allow recovery { app_data_file audio_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { app_data_file audio_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { anr_data_file asec_image_file backup_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { anr_data_file asec_image_file backup_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { radio_data_file system_app_data_file dalvikcache_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { radio_data_file system_app_data_file dalvikcache_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { drm_data_file nfc_data_file resourcecache_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { drm_data_file nfc_data_file resourcecache_data_file }:file { getattr unlink };
|
|
|
|
allow recovery property_data_file:dir { open read getattr search };
|
|
allow recovery property_data_file:file { getattr };
|
|
|
|
allow recovery { tombstone_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { tombstone_data_file }:file { getattr unlink };
|
|
|
|
allow recovery security_file:dir { open read getattr search };
|
|
|
|
allow recovery { dalvikcache_profiles_data_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { dalvikcache_profiles_data_file }:file { getattr unlink };
|
|
|
|
allow recovery { cache_backup_file }:dir { open read write getattr search rmdir remove_name };
|
|
allow recovery { cache_backup_file }:file { getattr unlink };
|
|
|
|
allow recovery { wallpaper_file apk_private_tmp_file gps_data_file cache_file cache_backup_file efs_file }:file { getattr unlink};
|
|
allow recovery { asec_apk_file asec_public_file bluetooth_efs_file }:file { getattr unlink};
|
|
|
|
allow recovery { rootfs }:file { create write getattr unlink };
|
|
allow recovery { shell_data_file app_data_file system_app_data_file radio_data_file bluetooth_data_file system_data_file nfc_data_file }:lnk_file { getattr unlink read};
|
|
|
|
allow recovery { camera_data_file system_ndebug_socket system_wpa_socket wpa_socket }:sock_file { getattr unlink };
|
|
allow recovery { system_data_file }:fifo_file { open read write getattr rw_file_perms unlink };
|
|
# add for adups FOTA end
|
|
|