sepolicy/recovery.te - platform_vendor_bliss - Gitiles

 recovery_only(`

 # Secure adb (setup_adbd)
 allow adbd adb_keys_file:dir search;
 allow recovery adb_keys_file:dir r_dir_perms;
 allow recovery adb_keys_file:file r_file_perms;
 allow recovery shell_prop:property_service set;

 # Recovery dialogs
 unix_socket_connect(recovery, vold, vold)
 allow recovery tmpfs:sock_file create_file_perms;

 # Read packages.xml
 #allow recovery system_data_file:file r_file_perms;

 # Manage fstab and /adb_keys
 #allow recovery rootfs:file create_file_perms;
 #allow recovery rootfs:file link;
 #allow recovery rootfs:dir { write create rmdir add_name remove_name };

 # Read storage files and directories
 allow recovery tmpfs:dir mounton;
 allow recovery media_rw_data_file:dir r_dir_perms;
 allow recovery media_rw_data_file:file r_file_perms;
 allow recovery vfat:dir r_dir_perms;
 allow recovery vfat:file r_file_perms;
 allow recovery sdcard_type:dir r_dir_perms;
 allow recovery sdcard_type:file r_file_perms;

 # Control properties
 allow recovery recovery_prop:property_service set;

 # Set property sys.usb.ffs.ready
 allow recovery ffs_prop:property_service set;

 # recursive rm for wipes... :(
 #allow app_data_file self:filesystem associate;
 #allow recovery app_data_file:file { read open create write };
 #allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

 #allow recovery file_type:dir { rw_dir_perms rmdir };
 #allow recovery file_type:notdevfile_class_set { unlink getattr };
 # wipe saves and restores the layout version
 #allow recovery install_data_file:file create_file_perms;
 #allow recovery system_data_file:file create_file_perms;

 # /cache/recovery things: command and logs
 allow recovery cache_recovery_file:dir create_dir_perms;
 allow recovery cache_recovery_file:file create_file_perms;

 # set system properties for various things
 allow recovery system_prop:property_service set;
 ')
	recovery_only(`

	# Secure adb (setup_adbd)
	allow adbd adb_keys_file:dir search;
	allow recovery adb_keys_file:dir r_dir_perms;
	allow recovery adb_keys_file:file r_file_perms;
	allow recovery shell_prop:property_service set;

	# Recovery dialogs
	unix_socket_connect(recovery, vold, vold)
	allow recovery tmpfs:sock_file create_file_perms;

	# Read packages.xml
	#allow recovery system_data_file:file r_file_perms;

	# Manage fstab and /adb_keys
	#allow recovery rootfs:file create_file_perms;
	#allow recovery rootfs:file link;
	#allow recovery rootfs:dir { write create rmdir add_name remove_name };

	# Read storage files and directories
	allow recovery tmpfs:dir mounton;
	allow recovery media_rw_data_file:dir r_dir_perms;
	allow recovery media_rw_data_file:file r_file_perms;
	allow recovery vfat:dir r_dir_perms;
	allow recovery vfat:file r_file_perms;
	allow recovery sdcard_type:dir r_dir_perms;
	allow recovery sdcard_type:file r_file_perms;

	# Control properties
	allow recovery recovery_prop:property_service set;

	# Set property sys.usb.ffs.ready
	allow recovery ffs_prop:property_service set;

	# recursive rm for wipes... :(
	#allow app_data_file self:filesystem associate;
	#allow recovery app_data_file:file { read open create write };
	#allow recovery app_data_file:filesystem { relabelto relabelfrom mount unmount };

	#allow recovery file_type:dir { rw_dir_perms rmdir };
	#allow recovery file_type:notdevfile_class_set { unlink getattr };
	# wipe saves and restores the layout version
	#allow recovery install_data_file:file create_file_perms;
	#allow recovery system_data_file:file create_file_perms;

	# /cache/recovery things: command and logs
	allow recovery cache_recovery_file:dir create_dir_perms;
	allow recovery cache_recovery_file:file create_file_perms;

	# set system properties for various things
	allow recovery system_prop:property_service set;
	')