PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
426f2e77c0
android_system_sepolicy/private/gsid.te
Yifan Hong 07a99e16e4 update_engine: rules to apply virtual A/B OTA 
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
  during an OTA, update_engine uses libsnapshot to talk to gsid
  to create these images as a backing storage of snapshots. These
  "COW images" stores the changes update_engine has applied to
  the partitions.
  If the update is successful, these changes will be merged to the
  partitions, and these images will be teared down. If the update
  fails, these images will be deleted after rolling back to the
  previous slot.

- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
  during an OTA, update_engine and gsid stores update states and
  information of the created snapshots there. At next boot, init
  reads these files to re-create the snapshots.

Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.

Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-10-02 12:46:47 -07:00

168 lines
5.0 KiB
Plaintext
Raw Blame History

# gsid - Manager for GSI Installation
type gsid, domain;
type gsid_exec, exec_type, file_type, system_file_type;
typeattribute gsid coredomain;
init_daemon_domain(gsid)
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
allow gsid dm_device:blk_file rw_file_perms;
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
# On FBE devices (not using dm-default-key), gsid will use loop devices to map
# images rather than device-mapper.
allow gsid loop_control_device:chr_file rw_file_perms;
allow gsid loop_device:blk_file rw_file_perms;
allowxperm gsid loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
};
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
r_dir_file(gsid, sysfs_dm)
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
allow gsid proc_cmdline:file r_file_perms;
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# liblp queries these block alignment properties.
allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
allow gsid vfat:dir rw_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:global_capability_class_set sys_rawio;
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow {
domain
-gsid
-init
-update_engine_common
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
#
# 1. fallocate a file large enough to hold the signed GSI
# 2. extract its block layout with FIEMAP
# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
# 4. write system_gsi into that dm device
#
# To make this process work, we need to unwrap the device-mapper stacking for
# userdata to reach the underlying block device. To verify the result we use
# stat(), which requires read access.
allow gsid userdata_block_device:blk_file r_file_perms;
# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
# init. It cannot use userdata since data cannot be decrypted during this
# stage.
#
# gsid uses /metadata/gsi to store three files:
# install_status - A short string indicating whether a GSI image is bootable.
# lp_metadata - LpMetadata blob describing the block ranges on userdata
# where system_gsi resides.
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file
ota_metadata_file
}:dir rw_dir_perms;
allow gsid {
gsi_metadata_file
ota_metadata_file
}:file create_file_perms;
allow gsid {
gsi_data_file
ota_image_data_file
}:dir rw_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
}:file create_file_perms;
allowxperm gsid {
gsi_data_file
ota_image_data_file
}:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_metadata_file:dir *;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
neverallow {
domain
-gsid
-init
} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow {
domain
-init
-gsid
} gsi_data_file:dir *;
neverallow {
domain
-gsid
} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
Reference in New Issue View Git Blame Copy Permalink