platform_system_sepolicy/public/update_verifier.te

# update_verifier
type update_verifier, domain;
type update_verifier_exec, system_file_type, exec_type, file_type;

# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;

# Read care map in /data/ota_package/.
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;

# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
allow update_verifier sysfs:dir r_dir_perms;

# Read /sys/block/dm-X/dm/name (which is a symlink to
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
# dm-X and system/vendor partitions.
allow update_verifier sysfs_dm:dir r_dir_perms;
allow update_verifier sysfs_dm:file r_file_perms;

# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;

# Write to kernel message.
allow update_verifier kmsg_device:chr_file w_file_perms;

# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)

# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)

# Access Checkpoint commands over binder
allow update_verifier vold_service:service_manager find;
binder_call(update_verifier, servicemanager)
binder_call(update_verifier, vold)
Allow update_verifier to access bootctrl_block_device. Bug: 26039641 Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4 2015-12-05 02:48:50 +01:00			`# update_verifier`
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf 2017-03-17 03:17:15 +01:00			`type update_verifier, domain;`
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 19:21:37 +02:00			`type update_verifier_exec, system_file_type, exec_type, file_type;`
Allow update_verifier to access bootctrl_block_device. Bug: 26039641 Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4 2015-12-05 02:48:50 +01:00
update_verifier: Allow searching /dev/block. update_verifier calls bootcontrol HAL to mark the currently booting slot as successfully booted. avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0 avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0 Bug: 29569601 Test: Device boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0. Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f 2016-06-22 21:16:47 +02:00			`# Allow update_verifier to reach block devices in /dev/block.`
			`allow update_verifier block_device:dir search;`

Add sepolicy for update_verifier (cherry picked from commit 5d8d2dc9f9eaf5f22503cdcea0b3f995c29f47e2) Grant update_verifier the permissions to read /data/ota_package/ and the blocks on system partition. The denial messages: update_verifier: type=1400 audit(0.0:29): avc: denied { read } scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:30): avc: denied { open } scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:31): avc: denied { read } dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 update_verifier: type=1400 audit(0.0:32): avc: denied { open } dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 Test: On device, update_verifier reads the blocks successfully during boot time. Bug: 30020920 Change-Id: I10777c1e6ba649b82c4a73171124742edeb05997 2016-06-06 20:30:20 +02:00			`# Read care map in /data/ota_package/.`
			`allow update_verifier ota_package_file:dir r_dir_perms;`
			`allow update_verifier ota_package_file:file r_file_perms;`

Create sysfs_dm label. Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic sysfs label. This CL creates sysfs_dm label and grants the following accesses: - update_verifier to read sysfs_dm dir and file at /sys/devices/virtual/block/dm-X. - vold to write sysfs_dm. Bug: 63440407 Test: update_verifier successfully triggers blocks verification and marks a sucessful boot; Test: No sysfs_dm related denials on sailfish. Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95 2017-10-05 22:50:07 +02:00			`# Read /sys/block to find all the DM directories like (/sys/block/dm-X).`
			`allow update_verifier sysfs:dir r_dir_perms;`

			`# Read /sys/block/dm-X/dm/name (which is a symlink to`
			`# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between`
			`# dm-X and system/vendor partitions.`
			`allow update_verifier sysfs_dm:dir r_dir_perms;`
			`allow update_verifier sysfs_dm:file r_file_perms;`

			`# Read all blocks in DM wrapped system partition.`
Allow update_verifier to read dm blocks Update_verifier will read dm-wrapped system/vendor partition. Therefore, change the sepolicy accordingly. Here's the denied message: update_verifier: type=1400 audit(0.0:131): avc: denied { read } for name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0 Bug: 34391662 Test: Read of /dev/block/dm-0 succeeds during boot time. Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1 2017-01-20 02:41:02 +01:00			`allow update_verifier dm_device:blk_file r_file_perms;`
Add sepolicy for update_verifier (cherry picked from commit 5d8d2dc9f9eaf5f22503cdcea0b3f995c29f47e2) Grant update_verifier the permissions to read /data/ota_package/ and the blocks on system partition. The denial messages: update_verifier: type=1400 audit(0.0:29): avc: denied { read } scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:30): avc: denied { open } scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:31): avc: denied { read } dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 update_verifier: type=1400 audit(0.0:32): avc: denied { open } dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 Test: On device, update_verifier reads the blocks successfully during boot time. Bug: 30020920 Change-Id: I10777c1e6ba649b82c4a73171124742edeb05997 2016-06-06 20:30:20 +02:00
Allow update_verifier to write to kmsg Denial message: avc: denied { write } for pid=640 comm="update_verifier" name="kmsg" dev="tmpfs" ino=13951 scontext=u:r:update_verifier:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Bug: 64713327 Test: update_verifier logs successfully during boot time. Change-Id: I421b1e6660239e5ffc624e504f5945d400510407 2017-08-16 22:09:56 +02:00			`# Write to kernel message.`
			`allow update_verifier kmsg_device:chr_file w_file_perms;`

Allow update_verifier to reboot the device Currently update_verifier only verifies the blocks when dm-verity is in 'enforcing' mode; and dm-verity will reboot the device upon detection of errors. However, sometimes the verity mode is not guaranteed to be correct. When mode is 'eio' for example, dm-verity will not trigger a reboot but rather fail the read. So update_verifier need to take the responsibility to reboot the device. Otherwise the device will continue to boot without setting the flag "isSlotMarkedSuccessful". Denial message: update_verifier: type=1400 audit(0.0:18): avc: denied { write } for name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0 Bug: 36260064 Test: powerctl property sets successfully Change-Id: I7431f87e2d61be1425397732aebb369d4ad4c26c 2017-04-04 05:08:37 +02:00			`# Allow update_verifier to reboot the device.`
			`set_prop(update_verifier, powerctl_prop)`

Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf 2017-03-17 03:17:15 +01:00			`# Use Boot Control HAL`
			`hal_client_domain(update_verifier, hal_bootctl)`
Allow update_verifier to call checkpointing This lets update_verifier call supportsCheckpoint to defer marking the boot as successful when we may end up failing before we would commit the checkpoint. In this case, we will mark the boot as successful just before committing the checkpoint. Test: Check that marking the boot as succesful was deferred in update_verifier, and done later on. Change-Id: I9b4f3dd607ff5301860e78f4604b600b4ee416b7 2019-02-01 04:50:59 +01:00
			`# Access Checkpoint commands over binder`
			`allow update_verifier vold_service:service_manager find;`
			`binder_call(update_verifier, servicemanager)`
			`binder_call(update_verifier, vold)`