diff --git a/Android.mk b/Android.mk
index 9a99732c61f160c6020544a5293da5060a34245d..0a4ebbfc6fa690cc9c8d758ae4150fd191ca337c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -839,7 +839,7 @@ local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(file_contexts.local.tmp): $(local_fcfiles_with_nl)
@mkdir -p $(dir $@)
- $(hide) m4 -s $^ > $@
+ $(hide) m4 --fatal-warnings -s $^ > $@
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -853,7 +853,7 @@ file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(file_contexts.device.tmp): $(device_fcfiles_with_nl)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
@@ -866,7 +866,7 @@ $(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
@mkdir -p $(dir $@)
- $(hide) m4 -s $^ > $@
+ $(hide) m4 --fatal-warnings -s $^ > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -931,7 +931,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(local_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -962,7 +962,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(vendor_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -989,7 +989,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(odm_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -1150,7 +1150,7 @@ $(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_property_contexts.tmp): $(plat_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
@@ -1182,7 +1182,7 @@ $(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_property_contexts.tmp): $(vendor_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
@@ -1211,7 +1211,7 @@ $(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles)
$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_property_contexts.tmp): $(odm_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
@@ -1287,7 +1287,7 @@ $(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_service_contexts.tmp): $(plat_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1319,7 +1319,7 @@ $(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_service_contexts.tmp): $(vendor_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1354,7 +1354,7 @@ $(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1386,7 +1386,7 @@ $(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1414,7 +1414,7 @@ $(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles)
$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1446,7 +1446,7 @@ $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vndservice_contexts.tmp): $(vnd_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1471,7 +1471,7 @@ plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
@@ -1505,7 +1505,7 @@ vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@@ -1533,7 +1533,7 @@ odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
diff --git a/definitions.mk b/definitions.mk
index 36b75ac042502b8d05da4699196ba8851423cfc6..2ea2b031dd28f4ce1c724876e38f3e8609ba07b1 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -2,7 +2,7 @@
# processed by checkpolicy
define transform-policy-to-conf
@mkdir -p $(dir $@)
-$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
diff --git a/private/adbd.te b/private/adbd.te
index 191c519f86d02cef6a0dae019ff31dbed786f313..864358a571abf72805628c8729756907df787e68 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -18,6 +18,9 @@ userdebug_or_eng(`
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
+
+ # Allows reboot fastboot to enter fastboot directly
+ unix_socket_connect(adbd, recovery, recovery)
')
# Do not sanitize the environment or open fds of the shell. Allow signaling
diff --git a/private/bug_map b/private/bug_map
index cb49904ea7b40acfc857f698cb440d9ade19f74c..523db53ff7bd5d81b5ab21c259a2f56744bd475c 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -36,6 +36,7 @@ storaged storaged capability 77634061
system_server crash_dump process 73128755
system_server logd_socket sock_file 64734187
system_server sdcardfs file 77856826
+system_server storage_stub_file dir 112609936
system_server zygote process 77856826
usbd usbd capability 72472544
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5a961076a52831b8a71adcfcaedbcc9cc32eac4d..1594979b688c73b38e2700675b30e07cdb0f10ca 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -49,6 +49,7 @@
exported3_default_prop
exported3_radio_prop
exported3_system_prop
+ fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -96,6 +97,7 @@
perfetto_traces_data_file
perfprofd_service
property_info
+ recovery_socket
secure_element
secure_element_device
secure_element_tmpfs
@@ -112,6 +114,7 @@
statsdw_socket
statscompanion_service
storaged_data_file
+ super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
system_lmk_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9120694d81894ca7f888330cda3826fe296f4223..d56de68612a514995ddb1e35d0d2ddae7f6a3785 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -45,6 +45,7 @@
exported_system_radio_prop
exported_vold_prop
exported_wifi_prop
+ fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -83,6 +84,7 @@
perfetto_traces_data_file
perfprofd_service
property_info
+ recovery_socket
secure_element
secure_element_device
secure_element_service
@@ -99,6 +101,7 @@
statsdw
statsdw_socket
storaged_data_file
+ super_block_device
system_boot_reason_prop
system_lmk_prop
system_suspend_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 18955b2eaf3cb5ebe7b841096fb638f9c6051004..c40ea06d329cc6406bd89f9f2e75dcc8017a023e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ fastbootd
hal_health_filesystem_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
@@ -14,6 +15,8 @@
llkd_tmpfs
mnt_product_file
overlayfs_file
+ recovery_socket
+ super_block_device
system_lmk_prop
system_suspend_hwservice
time_prop
diff --git a/private/fastbootd.te b/private/fastbootd.te
new file mode 100644
index 0000000000000000000000000000000000000000..29a9157e6d9b81761dee596ab94726ed19985ee9
--- /dev/null
+++ b/private/fastbootd.te
@@ -0,0 +1 @@
+typeattribute fastbootd coredomain;
diff --git a/private/file_contexts b/private/file_contexts
index 003d66c0216cb8c74efbc040e2f9f66bcd36e1bd..0a77f6b01101149f2fe7d44e35800afec43b82e7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
diff --git a/private/init.te b/private/init.te
index 02686a3f46332f51d865aeb7263a69b3068ae3f0..30e5e3623fc363cde8be1fb36c4ee04f705fb91d 100644
--- a/private/init.te
+++ b/private/init.te
@@ -9,6 +9,7 @@ domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, e2fs_exec, e2fs)
recovery_only(`
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
diff --git a/public/device.te b/public/device.te
index 231c8393836a08f2fce69fff423b76fe47272a62..c68b515ccafcef8b623a14b30f7f51b8190d6f7b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -104,3 +104,6 @@ type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
+
+# 'super' partition to be used for logical partitioning.
+type super_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 0f472c7c012984c744cf62836d1057f6185ff497..3afbe7ed61e0c6086d52fdd24f449d45c42db90f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -557,6 +557,7 @@ neverallow {
domain
-adbd
-dumpstate
+ -fastbootd
-hal_drm_server
-hal_cas_server
-init
@@ -591,11 +592,21 @@ neverallow {
-fsck
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
+# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
+neverallow {
+ domain
+ -fastbootd
+ -recovery
+ -update_engine
+} system_block_device:blk_file { write append };
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
+# No domains other than install_recovery, recovery or fastbootd can write to recovery.
+neverallow {
+ domain
+ -fastbootd
+ -install_recovery
+ -recovery
+} recovery_block_device:blk_file { write append };
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
@@ -604,6 +615,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
-hal_bootctl_server
-init
-uncrypt
@@ -738,7 +750,6 @@ full_treble_only(`
-mdnsd # netdomain needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
- -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
')
diff --git a/public/fastbootd.te b/public/fastbootd.te
new file mode 100644
index 0000000000000000000000000000000000000000..1d39d509012941016f90a42b55a123a3b7c7cc88
--- /dev/null
+++ b/public/fastbootd.te
@@ -0,0 +1,60 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # fastbootd can only use HALs in passthrough mode
+ passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+ # Access /dev/usb-ffs/fastbootd/ep0
+ allow fastbootd functionfs:dir search;
+ allow fastbootd functionfs:file rw_file_perms;
+
+ # Log to serial
+ allow fastbootd kmsg_device:chr_file { open write };
+
+ # battery info
+ allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+ allow fastbootd device:dir r_dir_perms;
+
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
+ # Set sys.usb.ffs.ready.
+ set_prop(fastbootd, ffs_prop)
+ set_prop(fastbootd, exported_ffs_prop)
+
+ unix_socket_connect(fastbootd, recovery, recovery)
+
+ # Required for flashing
+ allow fastbootd dm_device:chr_file rw_file_perms;
+ allow fastbootd dm_device:blk_file rw_file_perms;
+
+ allow fastbootd super_block_device:blk_file rw_file_perms;
+ allow fastbootd system_block_device:blk_file rw_file_perms;
+ allow fastbootd boot_block_device:blk_file rw_file_perms;
+
+ allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+ allow fastbootd proc_cmdline:file r_file_perms;
+ allow fastbootd rootfs:dir r_dir_perms;
+ allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+ data_file_type
+}:file { no_x_file_perms };
diff --git a/public/file.te b/public/file.te
index 75d1edcbbaa471c0e65d07012465741dff29202f..4b0dc2dcbc0e11761ae56efed4e7a2974b68526b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -342,6 +342,7 @@ type mtpd_socket, file_type, coredomain_socket;
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
+type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index b9b08dd1794dccf6d6fef63e9d06c51565ca71d6..c0d4e701cbeb281a7bb70dad9c4895d87dae28cb 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -96,7 +96,7 @@ allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
# /vendor apk access
-allow mediaserver vendor_app_file:file r_file_perms;
+allow mediaserver vendor_app_file:file { read map };
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
diff --git a/public/recovery.te b/public/recovery.te
index dcec9705ec68ff8bc9767d1487066e01c341d883..317cf32b7582b8522b7f0ca4fe57282b72b56150 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -118,6 +118,10 @@ recovery_only(`
set_prop(recovery, ffs_prop)
set_prop(recovery, exported_ffs_prop)
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, system_radio_prop)
+ set_prop(recovery, exported_system_radio_prop)
+
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
diff --git a/public/te_macros b/public/te_macros
index 67df3071f87cf8d4591735f7c086b7d645435df9..a03bfe9bfb97bfe50c3cad1c2754b3ed4f6bfee1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -408,7 +408,7 @@ allow $1 sysfs_wake_lock:file rw_file_perms;
allow $1 self:global_capability2_class_set block_suspend;
# TODO(b/36375663): wake lock clients should be tagged with
# hal_system_suspend_client and halclientdomain attributes. However,
-# typeattribute statements don't allow applying attributes to other attributes,
+# typeattribute statements do not allow applying attributes to other attributes,
# so instead we grant appropriate permissions directly within this macro.
# hal_system_suspend_client permissions
binder_call($1, hal_system_suspend_server)