platform_system_sepolicy/private/fastbootd.te

typeattribute fastbootd coredomain;

# The allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
recovery_only(`
  # Reboot the device
  set_prop(fastbootd, powerctl_prop)

  # Read serial number of the device from system properties
  get_prop(fastbootd, serialno_prop)

  # Set sys.usb.ffs.ready.
  get_prop(fastbootd, ffs_config_prop)
  set_prop(fastbootd, ffs_control_prop)

  userdebug_or_eng(`
    get_prop(fastbootd, persistent_properties_ready_prop)
  ')

  set_prop(fastbootd, gsid_prop)

  # Determine allocation scheme (whether B partitions needs to be
  # at the second half of super.
  get_prop(fastbootd, virtual_ab_prop)
  get_prop(fastbootd, snapuserd_prop)

  # Needed for TCP protocol
  allow fastbootd node:tcp_socket node_bind;
  allow fastbootd port:tcp_socket name_bind;
  allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };

  # Start snapuserd for merging VABC updates
  set_prop(fastbootd, ctl_snapuserd_prop)

  # Needed to communicate with snapuserd to complete merges.
  allow fastbootd snapuserd_socket:sock_file write;
  allow fastbootd snapuserd:unix_stream_socket connectto;
  allow fastbootd dm_user_device:dir r_dir_perms;

  # Get fastbootd protocol property
  get_prop(fastbootd, fastbootd_protocol_prop)

  # Mount /metadata to interact with Virtual A/B snapshots.
  allow fastbootd labeledfs:filesystem { mount unmount };
  set_prop(fastbootd, boottime_prop)

  # Needed for reading boot properties.
  allow fastbootd proc_bootconfig:file r_file_perms;
  # Let this domain use the hal fastboot service
  binder_use(fastbootd)
  hal_client_domain(fastbootd, hal_fastboot)
')

# This capability allows fastbootd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
io_uring_use(fastbootd)
Add sepolicy for fastbootd Also allow adb and fastboot to talk to recovery through recovery_socket. This enables changing between modes with usb commands. Test: No selinux denials Bug: 78793464 Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790 2018-05-29 19:54:16 +02:00			`typeattribute fastbootd coredomain;`
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8) 2020-03-04 09:20:35 +01:00
			`# The allow rules are only included in the recovery policy.`
			`# Otherwise fastbootd is only allowed the domain rules.`
			recovery_only(`
			`# Reboot the device`
			`set_prop(fastbootd, powerctl_prop)`

			`# Read serial number of the device from system properties`
			`get_prop(fastbootd, serialno_prop)`

			`# Set sys.usb.ffs.ready.`
Rename contexts of ffs props Bug: 71814576 Bug: 154885206 Test: m sepolicy_test Change-Id: Idacc3635851b14b833bccca177d784f4bb92c763 2020-04-27 16:49:15 +02:00			`get_prop(fastbootd, ffs_config_prop)`
			`set_prop(fastbootd, ffs_control_prop)`
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8) 2020-03-04 09:20:35 +01:00
			userdebug_or_eng(`
			`get_prop(fastbootd, persistent_properties_ready_prop)`
			`')`

			`set_prop(fastbootd, gsid_prop)`

			`# Determine allocation scheme (whether B partitions needs to be`
			`# at the second half of super.`
			`get_prop(fastbootd, virtual_ab_prop)`
Allow update_engine, recovery, and fastbootd to read snapuserd properties. Bug: 193833730 Test: OTA applies and boots Change-Id: I81c089e1763a7e25b23df245f76e04acd52a337e 2021-07-28 03:51:18 +02:00			`get_prop(fastbootd, snapuserd_prop)`
Support TCP based fastbootd in recovery mode. The IPv6 link-local address is used to avoid expose device to out of network segment. BUG: 155198345 Test: manual test. Change-Id: I0ce8c12de9976c01e57a6433c7fb50235e907dc5 2020-04-24 08:43:13 +02:00
			`# Needed for TCP protocol`
			`allow fastbootd node:tcp_socket node_bind;`
			`allow fastbootd port:tcp_socket name_bind;`
			`allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };`

Allow snapuserd interaction in recovery and fastbootd. This is needed to support VABC merges on data wipes and via "fastboot snapshot-update merge". Bug: 168258606 Test: fastboot snapshot-update merge data wipe during VABC merge Change-Id: I32770a2e74f2c2710e4964f65c42ae779c1a0b90 2021-02-05 05:24:23 +01:00			`# Start snapuserd for merging VABC updates`
			`set_prop(fastbootd, ctl_snapuserd_prop)`

			`# Needed to communicate with snapuserd to complete merges.`
			`allow fastbootd snapuserd_socket:sock_file write;`
			`allow fastbootd snapuserd:unix_stream_socket connectto;`
			`allow fastbootd dm_user_device:dir r_dir_perms;`

Support TCP based fastbootd in recovery mode. The IPv6 link-local address is used to avoid expose device to out of network segment. BUG: 155198345 Test: manual test. Change-Id: I0ce8c12de9976c01e57a6433c7fb50235e907dc5 2020-04-24 08:43:13 +02:00			`# Get fastbootd protocol property`
			`get_prop(fastbootd, fastbootd_protocol_prop)`
Allow fastbootd to mount /metadata in recovery. It is important that fastbootd is able to mount /metadata in recovery, in order to check whether Virtual A/B snapshots are present. This is enabled on userdebug builds, but currently fails on user builds. Fixes: audit: type=1400 audit(7258310.023:24): avc: denied { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 181097763 Test: fastboot flash on user build Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc 2021-05-06 01:33:48 +02:00
			`# Mount /metadata to interact with Virtual A/B snapshots.`
			`allow fastbootd labeledfs:filesystem { mount unmount };`
Allow fastbootd set boottime property Bug: 264489957 Test: flash and no related avc error Change-Id: Ia9a6d4918aa78e6b3e7df39496d786921192c8af Signed-off-by: Wilson Sung <wilsonsung@google.com> 2023-04-28 04:57:28 +02:00			`set_prop(fastbootd, boottime_prop)`
Fix fastbootd denials when using /proc/bootconfig. Bug: 189493387 Test: fastboot flashall on device using bootconfig Change-Id: Ibfb7c8a2861f61803a449a4b0ec9ed92ded5c4de 2021-06-08 03:38:53 +02:00
			`# Needed for reading boot properties.`
			`allow fastbootd proc_bootconfig:file r_file_perms;`
Fastboot AIDL Sepolicy changes Bug: 205760652 Test: Build & flash Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b Signed-off-by: Sandeep Dhavale <dhavale@google.com> 2022-11-09 00:57:09 +01:00			`# Let this domain use the hal fastboot service`
			`binder_use(fastbootd)`
			`hal_client_domain(fastbootd, hal_fastboot)`
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8) 2020-03-04 09:20:35 +01:00			`')`
Fix selinux denials for fastbootd Test: flash on O6, flash an image using git_master system + mainline kernel Bug: 244785938 Change-Id: I1b0e1ea0f1937abd2ad96a606b565812ee8096e1 2022-09-02 22:01:24 +02:00
Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f 2022-11-14 23:06:36 +01:00			`# This capability allows fastbootd to circumvent memlock rlimits while using`
			`# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.`
Fix selinux denials for fastbootd Test: flash on O6, flash an image using git_master system + mainline kernel Bug: 244785938 Change-Id: I1b0e1ea0f1937abd2ad96a606b565812ee8096e1 2022-09-02 22:01:24 +02:00			`allow fastbootd self:capability ipc_lock;`
Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f 2022-11-14 23:06:36 +01:00			`io_uring_use(fastbootd)`