PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9b624df22c
android_system_sepolicy/public/update_engine_common.te
Yifan Hong 07a99e16e4 update_engine: rules to apply virtual A/B OTA 
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
  during an OTA, update_engine uses libsnapshot to talk to gsid
  to create these images as a backing storage of snapshots. These
  "COW images" stores the changes update_engine has applied to
  the partitions.
  If the update is successful, these changes will be merged to the
  partitions, and these images will be teared down. If the update
  fails, these images will be deleted after rolling back to the
  previous slot.

- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
  during an OTA, update_engine and gsid stores update states and
  information of the created snapshots there. At next boot, init
  reads these files to re-create the snapshots.

Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.

Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-10-02 12:46:47 -07:00

86 lines
3.5 KiB
Plaintext
Raw Blame History

# update_engine payload application permissions. These are shared between the
# background daemon and the recovery tool to sideload an update.
# Allow update_engine to reach block devices in /dev/block.
allow update_engine_common block_device:dir search;
# Allow read/write on system and boot partitions.
allow update_engine_common boot_block_device:blk_file rw_file_perms;
allow update_engine_common system_block_device:blk_file rw_file_perms;
# Where ioctls are granted via standard allow rules to block devices,
# automatically allow common ioctls that are generally needed by
# update_engine.
allowxperm update_engine_common dev_type:blk_file ioctl {
BLKDISCARD
BLKDISCARDZEROES
BLKROGET
BLKROSET
BLKSECDISCARD
BLKZEROOUT
};
# Allow to set recovery options in the BCB. Used to trigger factory reset when
# the update to an older version (channel change) or incompatible version
# requires it.
allow update_engine_common misc_block_device:blk_file rw_file_perms;
# read fstab
allow update_engine_common rootfs:dir getattr;
allow update_engine_common rootfs:file r_file_perms;
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem relabelfrom;
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
# install update.zip from cache
r_dir_file(update_engine_common, cache_file)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine_common shell_exec:file rx_file_perms;
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
# access /proc/cmdline
allow update_engine_common proc_cmdline:file r_file_perms;
# Read files in /sys/firmware/devicetree/base/firmware/android/
r_dir_file(update_engine_common, sysfs_dt_firmware_android)
# Needed because libdm reads sysfs to validate when a dm path is ready.
r_dir_file(update_engine_common, sysfs_dm)
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
# ioctl on super device to get block device alignment and alignment offset
allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# get physical block device to map logical partitions on device mapper
allow update_engine_common block_device:dir r_dir_perms;
# Allow update_engine_common to write to statsd socket.
unix_socket_send(update_engine_common, statsdw, statsd)
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
allow update_engine_common ota_metadata_file:file create_file_perms;
Reference in New Issue View Git Blame Copy Permalink