recoveryboot: run the BCB watcher in vendor_misc_writer

Same change as pawlet_rpi4: the custom domain violated the
misc_block_device neverallow (checked as user build), and a shell script
cannot be a hal_bootctl_server, so extend AOSP's vendor_misc_writer.
This commit is contained in:
oxmc
2026-07-15 17:14:09 -07:00
parent bf4b920b0c
commit a3fe0bdd42
2 changed files with 20 additions and 15 deletions
+1 -1
View File
@@ -52,4 +52,4 @@
/dev/block/sdb9 u:object_r:userdata_block_device:s0
# reboot-to-recovery chain-loader (vendor/pawlet/recoveryboot)
/vendor/bin/pawlet-recoveryboot\.sh u:object_r:pawlet_recoveryboot_exec:s0
/vendor/bin/pawlet-recoveryboot\.sh u:object_r:vendor_misc_writer_exec:s0
+19 -14
View File
@@ -2,26 +2,31 @@
# recovery partition when the framework requested recovery. Needs to read
# the BCB from misc, keep an attempt counter in /metadata, and trigger the
# reboot via sys.powerctl.
type pawlet_recoveryboot, domain;
type pawlet_recoveryboot_exec, exec_type, vendor_file_type, file_type;
#
# Runs in AOSP's vendor_misc_writer domain — the only non-HAL vendor domain
# that private/domain.te exempts from the misc_block_device neverallow (the
# neverallow check always compiles as a user build, so the userdebug
# carve-out does not help), and a shell script cannot be a
# hal_bootctl_server: private/hal_neverallows.te forbids HAL domains from
# exec'ing vendor sh/toybox. system/sepolicy already grants misc write and
# /dev/block dir read; everything here is additive.
init_daemon_domain(pawlet_recoveryboot)
init_daemon_domain(vendor_misc_writer)
# read the BCB command field back from misc
allow vendor_misc_writer misc_block_device:blk_file r_file_perms;
allow vendor_misc_writer block_device:lnk_file { read getattr };
# toybox utilities from the vendor shell
allow pawlet_recoveryboot vendor_shell_exec:file rx_file_perms;
allow pawlet_recoveryboot vendor_toolbox_exec:file execute_no_trans;
# read/clear the BCB command field in misc
allow pawlet_recoveryboot block_device:dir search;
allow pawlet_recoveryboot block_device:lnk_file { read getattr };
allow pawlet_recoveryboot misc_block_device:blk_file rw_file_perms;
allow vendor_misc_writer vendor_shell_exec:file rx_file_perms;
allow vendor_misc_writer vendor_toolbox_exec:file execute_no_trans;
# bootloop-breaker attempt counter under /metadata/pawlet
allow pawlet_recoveryboot metadata_file:dir create_dir_perms;
allow pawlet_recoveryboot metadata_file:file create_file_perms;
allow vendor_misc_writer metadata_file:dir create_dir_perms;
allow vendor_misc_writer metadata_file:file create_file_perms;
# trigger the reboot
set_prop(pawlet_recoveryboot, powerctl_prop)
set_prop(vendor_misc_writer, powerctl_prop)
# logwrapper/log output
allow pawlet_recoveryboot kmsg_device:chr_file w_file_perms;
allow vendor_misc_writer kmsg_device:chr_file w_file_perms;