update_engine: rules to apply virtual A/B OTA

- /data/gsi/ota/* now has the type ota_image_data_file. At runtime during an OTA, update_engine uses libsnapshot to talk to gsid to create these images as a backing storage of snapshots. These "COW images" stores the changes update_engine has applied to the partitions. If the update is successful, these changes will be merged to the partitions, and these images will be teared down. If the update fails, these images will be deleted after rolling back to the previous slot. - /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime during an OTA, update_engine and gsid stores update states and information of the created snapshots there. At next boot, init reads these files to re-create the snapshots. Beside these assignments, this CL also allows gsid and update_engine to have the these permissions to do these operations. Bug: 135752105 Test: apply OTA, no failure Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-08-07 13:01:15 -07:00 · 2019-08-07 13:01:15 -07:00 · 07a99e16e4
commit 07a99e16e4
parent 93b9db56aa
6 changed files with 42 additions and 6 deletions
--- a/private/file.te
+++ b/private/file.te
@ -23,3 +23,6 @@ type rollback_data_file, file_type, data_file_type, core_data_file_type;

 # /dev/linkerconfig(/.*)?
 type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -460,6 +460,7 @@
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
 /data/gsi(/.*)?        u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
@ -641,6 +642,7 @@
 /metadata/apex(/.*)?      u:object_r:apex_metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)?   u:object_r:ota_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0

--- a/private/gsid.te
+++ b/private/gsid.te
@ -70,7 +70,12 @@ allow gsid adbd:fd use;
 # Needed when running gsi_tool through "su root" rather than adb root.
 allow gsid adbd:unix_stream_socket rw_socket_perms;

-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+  domain
+  -gsid
+  -init
+  -update_engine_common
+} gsid_prop:property_service set;

 # gsid needs to store images on /data, but cannot use file I/O. If it did, the
 # underlying blocks would be encrypted, and we couldn't mount the GSI image in
@ -98,12 +103,27 @@ allow gsid userdata_block_device:blk_file r_file_perms;
 #                    currently running.
 #
 allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+    gsi_metadata_file
+    ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+    gsi_metadata_file
+    ota_metadata_file
+}:file create_file_perms;

-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+      gsi_data_file
+      ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+      gsi_data_file
+      ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+      gsi_data_file
+      ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;

 neverallow {
    domain
--- a/private/update_engine.te
+++ b/private/update_engine.te
@ -1,3 +1,7 @@
 typeattribute update_engine coredomain;

 init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
--- a/public/update_engine.te
+++ b/public/update_engine.te
@ -54,3 +54,6 @@ allow update_engine proc_misc:file r_file_perms;

 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@ -79,3 +79,7 @@ unix_socket_send(update_engine_common, statsdw, statsd)

 # Allow to read Virtual A/B feature flags.
 get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;