tequilaOS/platform_system_core

Fork 0

Commit graph

Author	SHA1	Message	Date
David Anderson	0e5ad5a093	snapuserd: Allow connecting to the first-stage daemon. Currently there is no socket for daemon instances launched during the selinux phase of init. We don't create any sockets due to the complexity of the required sepolicy. This workaround will allow us to create the socket with very minimal sepolicy changes. init will launch a one-off instance of snapuserd in "proxy" mode, and then the following steps will occur: 1. The proxy daemon will be given two sockets, the "normal" socket that snapuserd clients would connect to, and a "proxy" socket. 2. The proxy daemon will listen on the proxy socket. 3. The first-stage daemon will wake up and connect to the proxy daemon as a client. 4. The proxy will send the normal socket via SCM_RIGHTS, then exit. 5. The first-stage daemon can now listen and accept on the normal socket. Ordering of these events is achieved through a snapuserd.proxy_ready property. Some special-casing was needed in init to make this work. The snapuserd socket owned by snapuserd_proxy is placed into a "persist" mode so it doesn't get deleted when snapuserd_proxy exits. There's also a special case method to create a Service object around a previously existing pid. Finally, first-stage init is technically on a different updateable partition than snapuserd. Thus, we add a way to query snapuserd to see if it supports socket handoff. If it does, we communicate this information through an environment variable to second-stage init. Bug: 193833730 Test: manual test Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58	2021-07-27 19:35:29 -07:00
David Anderson	491e4da372	init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e	2021-01-08 16:39:51 -08:00

Author

SHA1

Message

Date

David Anderson

0e5ad5a093

snapuserd: Allow connecting to the first-stage daemon.

Currently there is no socket for daemon instances launched during the
selinux phase of init. We don't create any sockets due to the complexity
of the required sepolicy.

This workaround will allow us to create the socket with very minimal
sepolicy changes. init will launch a one-off instance of snapuserd in
"proxy" mode, and then the following steps will occur:

1. The proxy daemon will be given two sockets, the "normal" socket that
snapuserd clients would connect to, and a "proxy" socket.
2. The proxy daemon will listen on the proxy socket.
3. The first-stage daemon will wake up and connect to the proxy daemon
as a client.
4. The proxy will send the normal socket via SCM_RIGHTS, then exit.
5. The first-stage daemon can now listen and accept on the normal
socket.

Ordering of these events is achieved through a snapuserd.proxy_ready
property.

Some special-casing was needed in init to make this work. The snapuserd
socket owned by snapuserd_proxy is placed into a "persist" mode so it
doesn't get deleted when snapuserd_proxy exits. There's also a special
case method to create a Service object around a previously existing pid.

Finally, first-stage init is technically on a different updateable
partition than snapuserd. Thus, we add a way to query snapuserd to see
if it supports socket handoff. If it does, we communicate this
information through an environment variable to second-stage init.

Bug: 193833730
Test: manual test
Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58

2021-07-27 19:35:29 -07:00

David Anderson

491e4da372

init: Add an selinux transition for snapuserd.

With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.

To account for this, we split SelinuxInitialize into multiple steps:

First, sepolicy is read into an in-memory string.

Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.

Third, sepolicy is loaded from the in-memory string.

Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.

Finally, we set enforcing mode.

This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.

Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e

2021-01-08 16:39:51 -08:00

2 commits