2019-01-14 23:38:17 +01:00
|
|
|
# gsid - Manager for GSI Installation
|
|
|
|
|
|
|
|
type gsid, domain;
|
|
|
|
type gsid_exec, exec_type, file_type, system_file_type;
|
|
|
|
typeattribute gsid coredomain;
|
|
|
|
|
|
|
|
init_daemon_domain(gsid)
|
|
|
|
|
|
|
|
binder_use(gsid)
|
2019-01-23 04:05:29 +01:00
|
|
|
binder_service(gsid)
|
2019-01-14 23:38:17 +01:00
|
|
|
add_service(gsid, gsi_service)
|
2020-10-07 07:59:52 +02:00
|
|
|
|
|
|
|
# Manage DSU metadata encryption key through vold.
|
|
|
|
allow gsid vold_service:service_manager find;
|
|
|
|
binder_call(gsid, vold)
|
|
|
|
|
2019-02-07 22:14:20 +01:00
|
|
|
set_prop(gsid, gsid_prop)
|
2019-01-23 04:05:29 +01:00
|
|
|
|
|
|
|
# Needed to create/delete device-mapper nodes, and read/write to them.
|
|
|
|
allow gsid dm_device:chr_file rw_file_perms;
|
|
|
|
allow gsid dm_device:blk_file rw_file_perms;
|
|
|
|
allow gsid self:global_capability_class_set sys_admin;
|
|
|
|
dontaudit gsid self:global_capability_class_set dac_override;
|
|
|
|
|
2019-07-09 03:59:58 +02:00
|
|
|
# On FBE devices (not using dm-default-key), gsid will use loop devices to map
|
|
|
|
# images rather than device-mapper.
|
|
|
|
allow gsid loop_control_device:chr_file rw_file_perms;
|
|
|
|
allow gsid loop_device:blk_file rw_file_perms;
|
|
|
|
allowxperm gsid loop_device:blk_file ioctl {
|
|
|
|
LOOP_GET_STATUS64
|
|
|
|
LOOP_SET_STATUS64
|
|
|
|
LOOP_SET_FD
|
|
|
|
LOOP_SET_BLOCK_SIZE
|
|
|
|
LOOP_SET_DIRECT_IO
|
|
|
|
LOOP_CLR_FD
|
|
|
|
BLKFLSBUF
|
|
|
|
};
|
|
|
|
|
2019-01-23 04:05:29 +01:00
|
|
|
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
|
|
|
|
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
|
|
|
|
# file names.
|
2019-06-07 23:28:37 +02:00
|
|
|
r_dir_file(gsid, sysfs_dm)
|
2019-01-23 04:05:29 +01:00
|
|
|
|
2019-12-11 01:23:59 +01:00
|
|
|
# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
|
|
|
|
# whether pin_file support is enabled.
|
|
|
|
r_dir_file(gsid, sysfs_fs_f2fs)
|
|
|
|
|
2019-03-16 00:41:15 +01:00
|
|
|
# Needed to read fstab, which is used to validate that system verity does not
|
|
|
|
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
|
|
|
|
# to get the A/B slot suffix).
|
2022-03-20 09:35:19 +01:00
|
|
|
read_fstab(gsid)
|
2019-03-16 00:41:15 +01:00
|
|
|
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
|
|
|
|
allow gsid sysfs_dt_firmware_android:file r_file_perms;
|
|
|
|
|
2019-01-23 04:05:29 +01:00
|
|
|
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
|
|
|
|
allow gsid block_device:dir r_dir_perms;
|
|
|
|
|
2021-11-03 13:41:38 +01:00
|
|
|
# Allow querying the size of super_block_device_type.
|
|
|
|
allow gsid super_block_device_type:blk_file r_file_perms;
|
|
|
|
|
2019-01-23 04:05:29 +01:00
|
|
|
# liblp queries these block alignment properties.
|
2021-11-03 13:41:38 +01:00
|
|
|
allowxperm gsid {
|
|
|
|
userdata_block_device
|
|
|
|
sdcard_block_device
|
|
|
|
super_block_device_type
|
|
|
|
}:blk_file ioctl {
|
2019-01-23 04:05:29 +01:00
|
|
|
BLKIOMIN
|
|
|
|
BLKALIGNOFF
|
|
|
|
};
|
|
|
|
|
2019-03-16 00:41:15 +01:00
|
|
|
# When installing images to an sdcard, gsid needs to be able to stat() the
|
|
|
|
# block device. gsid also calls realpath() to remove symlinks.
|
|
|
|
allow gsid mnt_media_rw_file:dir r_dir_perms;
|
2021-01-14 08:27:50 +01:00
|
|
|
allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
|
2019-03-16 00:41:15 +01:00
|
|
|
|
|
|
|
# When installing images to an sdcard, gsid must bypass sdcardfs and install
|
|
|
|
# directly to vfat, which supports the FIBMAP ioctl.
|
2021-01-14 08:27:50 +01:00
|
|
|
allow gsid vfat:dir create_dir_perms;
|
2019-03-16 00:41:15 +01:00
|
|
|
allow gsid vfat:file create_file_perms;
|
|
|
|
allow gsid sdcard_block_device:blk_file r_file_perms;
|
|
|
|
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
|
|
|
|
# requirement, but the kernel does not implement FIEMAP support for VFAT.
|
|
|
|
allow gsid self:global_capability_class_set sys_rawio;
|
|
|
|
|
2020-08-28 16:07:09 +02:00
|
|
|
# Allow rules for gsi_tool.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
# gsi_tool passes the system image over the adb connection, via stdin.
|
|
|
|
allow gsid adbd:fd use;
|
|
|
|
# Needed when running gsi_tool through "su root" rather than adb root.
|
|
|
|
allow gsid adbd:unix_stream_socket rw_socket_perms;
|
|
|
|
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
|
|
|
|
allow gsid { shell su }:fifo_file r_file_perms;
|
2020-08-31 10:30:55 +02:00
|
|
|
# Allow installing images from /storage/emulated/...
|
2021-06-23 10:21:49 +02:00
|
|
|
allow gsid { sdcard_type fuse }:file r_file_perms;
|
2020-08-28 16:07:09 +02:00
|
|
|
')
|
2019-01-23 04:05:29 +01:00
|
|
|
|
2019-08-07 22:01:15 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-gsid
|
|
|
|
-init
|
|
|
|
-update_engine_common
|
2019-10-18 04:07:52 +02:00
|
|
|
-recovery
|
|
|
|
-fastbootd
|
2019-08-07 22:01:15 +02:00
|
|
|
} gsid_prop:property_service set;
|
2019-02-07 22:14:20 +01:00
|
|
|
|
2019-01-23 04:05:29 +01:00
|
|
|
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
|
|
|
|
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
|
|
|
|
# first-stage init. So instead of directly writing to /data, we:
|
|
|
|
#
|
|
|
|
# 1. fallocate a file large enough to hold the signed GSI
|
|
|
|
# 2. extract its block layout with FIEMAP
|
|
|
|
# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
|
|
|
|
# 4. write system_gsi into that dm device
|
|
|
|
#
|
|
|
|
# To make this process work, we need to unwrap the device-mapper stacking for
|
|
|
|
# userdata to reach the underlying block device. To verify the result we use
|
|
|
|
# stat(), which requires read access.
|
|
|
|
allow gsid userdata_block_device:blk_file r_file_perms;
|
|
|
|
|
|
|
|
# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
|
|
|
|
# init. It cannot use userdata since data cannot be decrypted during this
|
|
|
|
# stage.
|
|
|
|
#
|
|
|
|
# gsid uses /metadata/gsi to store three files:
|
|
|
|
# install_status - A short string indicating whether a GSI image is bootable.
|
|
|
|
# lp_metadata - LpMetadata blob describing the block ranges on userdata
|
|
|
|
# where system_gsi resides.
|
|
|
|
# booted - An empty file that, if exists, indicates that a GSI is
|
|
|
|
# currently running.
|
|
|
|
#
|
2019-07-09 03:59:58 +02:00
|
|
|
allow gsid metadata_file:dir { search getattr };
|
2019-08-07 22:01:15 +02:00
|
|
|
allow gsid {
|
2021-03-22 06:46:12 +01:00
|
|
|
gsi_metadata_file_type
|
2020-01-17 07:19:56 +01:00
|
|
|
}:dir create_dir_perms;
|
|
|
|
|
|
|
|
allow gsid {
|
2019-08-07 22:01:15 +02:00
|
|
|
ota_metadata_file
|
|
|
|
}:dir rw_dir_perms;
|
2020-01-17 07:19:56 +01:00
|
|
|
|
2019-08-07 22:01:15 +02:00
|
|
|
allow gsid {
|
2021-03-22 06:46:12 +01:00
|
|
|
gsi_metadata_file_type
|
2019-08-07 22:01:15 +02:00
|
|
|
ota_metadata_file
|
|
|
|
}:file create_file_perms;
|
|
|
|
|
2021-03-22 06:46:12 +01:00
|
|
|
# Allow restorecon to fix context of gsi_public_metadata_file.
|
|
|
|
allow gsid file_contexts_file:file r_file_perms;
|
|
|
|
allow gsid gsi_metadata_file:file relabelfrom;
|
|
|
|
allow gsid gsi_public_metadata_file:file relabelto;
|
|
|
|
|
2019-08-07 22:01:15 +02:00
|
|
|
allow gsid {
|
|
|
|
gsi_data_file
|
|
|
|
ota_image_data_file
|
2023-04-24 08:48:44 +02:00
|
|
|
}:dir create_dir_perms;
|
2019-08-07 22:01:15 +02:00
|
|
|
allow gsid {
|
|
|
|
gsi_data_file
|
|
|
|
ota_image_data_file
|
|
|
|
}:file create_file_perms;
|
|
|
|
allowxperm gsid {
|
|
|
|
gsi_data_file
|
|
|
|
ota_image_data_file
|
2020-08-19 08:28:06 +02:00
|
|
|
}:file ioctl {
|
|
|
|
FS_IOC_FIEMAP
|
|
|
|
FS_IOC_GETFLAGS
|
|
|
|
};
|
2019-01-23 04:05:29 +01:00
|
|
|
|
2020-02-26 10:19:10 +01:00
|
|
|
allow gsid system_server:binder call;
|
|
|
|
|
2021-03-22 06:46:12 +01:00
|
|
|
# Prevent most processes from writing to gsi_metadata_file_type, but allow
|
|
|
|
# adding rules for path resolution of gsi_public_metadata_file and reading
|
|
|
|
# gsi_public_metadata_file.
|
2019-01-23 04:05:29 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-gsid
|
|
|
|
-fastbootd
|
2021-03-22 06:46:12 +01:00
|
|
|
} gsi_metadata_file_type:dir no_w_dir_perms;
|
2019-01-23 04:05:29 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-gsid
|
|
|
|
-fastbootd
|
2021-03-22 06:46:12 +01:00
|
|
|
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-gsid
|
|
|
|
-fastbootd
|
|
|
|
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
|
|
|
|
|
|
|
|
# Prevent apps from accessing gsi_metadata_file_type.
|
2021-04-09 07:39:20 +02:00
|
|
|
neverallow {
|
|
|
|
appdomain
|
|
|
|
-shell
|
|
|
|
} gsi_metadata_file_type:dir_file_class_set *;
|
2019-01-23 04:05:29 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-gsid
|
2021-03-22 06:46:12 +01:00
|
|
|
} gsi_data_file:dir_file_class_set *;
|
2019-01-23 04:05:29 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-gsid
|
2021-03-22 06:46:12 +01:00
|
|
|
} gsi_data_file:file_class_set ~{ relabelto getattr };
|