2020-10-20 07:11:29 +02:00
|
|
|
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
|
2020-11-13 09:45:59 +01:00
|
|
|
type snapuserd, domain;
|
|
|
|
|
type snapuserd_exec, exec_type, file_type, system_file_type;
|
2020-10-20 07:11:29 +02:00
|
|
|
|
|
|
|
|
typeattribute snapuserd coredomain;
|
|
|
|
|
|
|
|
|
|
init_daemon_domain(snapuserd)
|
|
|
|
|
|
|
|
|
|
allow snapuserd kmsg_device:chr_file rw_file_perms;
|
|
|
|
|
|
2021-07-22 10:23:45 +02:00
|
|
|
# Allow snapuserd to reach block devices in /dev/block.
|
|
|
|
|
allow snapuserd block_device:dir search;
|
|
|
|
|
|
|
|
|
|
# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
|
|
|
|
|
allow snapuserd sysfs:dir { open read };
|
|
|
|
|
|
|
|
|
|
# Read /sys/block/dm-X/dm/name (which is a symlink to
|
|
|
|
|
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
|
|
|
|
|
# dm-X and dynamic partitions.
|
|
|
|
|
allow snapuserd sysfs_dm:dir { open read search };
|
|
|
|
|
allow snapuserd sysfs_dm:file r_file_perms;
|
|
|
|
|
|
2020-10-20 07:11:29 +02:00
|
|
|
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
|
|
|
|
|
allow snapuserd block_device:dir r_dir_perms;
|
|
|
|
|
allow snapuserd dm_device:chr_file rw_file_perms;
|
|
|
|
|
allow snapuserd dm_device:blk_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Reading and writing to dm-user control nodes.
|
2020-11-13 09:45:59 +01:00
|
|
|
allow snapuserd dm_user_device:dir r_dir_perms;
|
2020-10-20 07:11:29 +02:00
|
|
|
allow snapuserd dm_user_device:chr_file rw_file_perms;
|
2020-12-03 06:15:08 +01:00
|
|
|
|
2021-07-27 00:03:11 +02:00
|
|
|
# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
|
2020-12-03 06:15:08 +01:00
|
|
|
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
|
2021-07-27 00:03:11 +02:00
|
|
|
allow snapuserd snapuserd_proxy_socket:sock_file write;
|
2020-12-03 06:15:08 +01:00
|
|
|
|
|
|
|
|
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
|
|
|
|
|
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
|
|
|
|
|
# again, the descriptor leaks into the new process.
|
|
|
|
|
allow snapuserd kernel:fd use;
|
2021-07-27 00:03:11 +02:00
|
|
|
|
|
|
|
|
# snapuserd.* properties
|
|
|
|
|
set_prop(snapuserd, snapuserd_prop)
|
2021-11-09 09:42:54 +01:00
|
|
|
get_prop(snapuserd, virtual_ab_prop)
|
2021-07-27 00:03:11 +02:00
|
|
|
|
|
|
|
|
# For inotify watching for /dev/socket/snapuserd_proxy to appear.
|
2021-08-05 04:24:06 +02:00
|
|
|
allow snapuserd tmpfs:dir { read watch };
|
2021-07-27 00:03:11 +02:00
|
|
|
|
|
|
|
|
# Forbid anything other than snapuserd and init setting snapuserd properties.
|
|
|
|
|
neverallow {
|
|
|
|
|
domain
|
|
|
|
|
-snapuserd
|
|
|
|
|
-init
|
|
|
|
|
} snapuserd_prop:property_service set;
|
2022-09-06 04:10:26 +02:00
|
|
|
|
2023-01-03 06:13:43 +01:00
|
|
|
# Allow to read/write/create OTA metadata files
|
|
|
|
|
allow snapuserd metadata_file:dir search;
|
|
|
|
|
allow snapuserd ota_metadata_file:dir rw_dir_perms;
|
|
|
|
|
allow snapuserd ota_metadata_file:file create_file_perms;
|
2022-11-14 23:06:36 +01:00
|
|
|
|
|
|
|
|
# This capability allows snapuserd to circumvent memlock rlimits while using
|
|
|
|
|
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
|
|
|
|
|
allow snapuserd self:capability ipc_lock;
|
|
|
|
|
io_uring_use(snapuserd)
|
