recovery_only(`
  allow recovery sysfs_nanoapp_cmd:dir search;
  allow recovery sysfs_nanoapp_cmd:file { open write };
')