common/private/recovery.te - LeafOS-Project/android_device_lineage_sepolicy - Gitiles

 recovery_only(`
 userdebug_or_eng(`
 permissive recovery;
 ')

 # Volume manager
 allow recovery block_device:dir create_dir_perms;
 allow recovery block_device:blk_file { create unlink rw_file_perms };
 allow recovery self:capability { mknod fsetid };
 allow recovery proc_filesystems:file r_file_perms;
 allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
 allow recovery tmpfs:file link;
 allow recovery rootfs:dir w_dir_perms;
 allow recovery rootfs:file { create_file_perms link };
 allow recovery media_rw_data_file:dir r_dir_perms;

 # Read fbe encryption info
 r_dir_file(recovery, unencrypted_data_file)
 ')
	recovery_only(`
	userdebug_or_eng(`
	permissive recovery;
	')

	# Volume manager
	allow recovery block_device:dir create_dir_perms;
	allow recovery block_device:blk_file { create unlink rw_file_perms };
	allow recovery self:capability { mknod fsetid };
	allow recovery proc_filesystems:file r_file_perms;
	allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
	allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
	allow recovery tmpfs:file link;
	allow recovery rootfs:dir w_dir_perms;
	allow recovery rootfs:file { create_file_perms link };
	allow recovery media_rw_data_file:dir r_dir_perms;

	# Read fbe encryption info
	r_dir_file(recovery, unencrypted_data_file)
	')