2015-10-05 23:04:39 +02:00
|
|
|
# Domain for update_engine daemon.
|
2017-05-15 22:19:03 +02:00
|
|
|
type update_engine, domain, update_engine_common;
|
2018-09-27 19:21:37 +02:00
|
|
|
type update_engine_exec, system_file_type, exec_type, file_type;
|
2015-10-05 23:04:39 +02:00
|
|
|
|
|
|
|
net_domain(update_engine);
|
|
|
|
|
|
|
|
# Following permissions are needed for update_engine.
|
|
|
|
allow update_engine self:process { setsched };
|
2017-11-09 23:51:26 +01:00
|
|
|
allow update_engine self:global_capability_class_set { fowner sys_admin };
|
2017-11-12 23:38:03 +01:00
|
|
|
# Note: fsetid checks are triggered when creating a file in a directory with
|
|
|
|
# the setgid bit set to determine if the file should inherit setgid. In this
|
|
|
|
# case, setgid on the file is undesirable so we should just suppress the
|
|
|
|
# denial.
|
2017-11-09 23:51:26 +01:00
|
|
|
dontaudit update_engine self:global_capability_class_set fsetid;
|
2017-11-12 23:38:03 +01:00
|
|
|
|
2019-03-20 23:36:26 +01:00
|
|
|
allow update_engine kmsg_device:chr_file { getattr w_file_perms };
|
2015-11-21 01:09:14 +01:00
|
|
|
allow update_engine update_engine_exec:file rx_file_perms;
|
2015-10-05 23:04:39 +02:00
|
|
|
wakelock_use(update_engine);
|
|
|
|
|
2016-03-02 01:14:45 +01:00
|
|
|
# Ignore these denials.
|
|
|
|
dontaudit update_engine kernel:process setsched;
|
2018-08-15 21:34:20 +02:00
|
|
|
dontaudit update_engine self:global_capability_class_set sys_rawio;
|
2016-03-02 01:14:45 +01:00
|
|
|
|
2015-10-05 23:04:39 +02:00
|
|
|
# Allow using persistent storage in /data/misc/update_engine.
|
2017-11-06 12:56:00 +01:00
|
|
|
allow update_engine update_engine_data_file:dir create_dir_perms;
|
|
|
|
allow update_engine update_engine_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Allow using persistent storage in /data/misc/update_engine_log.
|
|
|
|
allow update_engine update_engine_log_data_file:dir create_dir_perms;
|
|
|
|
allow update_engine update_engine_log_data_file:file create_file_perms;
|
2015-10-05 23:04:39 +02:00
|
|
|
|
|
|
|
# Don't allow kernel module loading, just silence the logs.
|
|
|
|
dontaudit update_engine kernel:system module_request;
|
2016-01-26 01:41:03 +01:00
|
|
|
|
|
|
|
# Register the service to perform Binder IPC.
|
|
|
|
binder_use(update_engine)
|
2017-01-19 22:23:52 +01:00
|
|
|
add_service(update_engine, update_engine_service)
|
2016-01-26 01:41:03 +01:00
|
|
|
|
2019-12-03 23:02:57 +01:00
|
|
|
# Allow update_engine to call the callback function provided by priv_app/GMS core.
|
2016-01-26 01:41:03 +01:00
|
|
|
binder_call(update_engine, priv_app)
|
2019-12-03 23:02:57 +01:00
|
|
|
# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
auditallow update_engine priv_app:binder { call transfer };
|
|
|
|
auditallow priv_app update_engine:binder transfer;
|
|
|
|
auditallow update_engine priv_app:fd use;
|
|
|
|
')
|
|
|
|
|
2019-12-03 20:13:51 +01:00
|
|
|
binder_call(update_engine, gmscore_app)
|
2016-05-25 06:07:48 +02:00
|
|
|
|
2018-11-21 19:10:54 +01:00
|
|
|
# Allow update_engine to call the callback function provided by system_server.
|
|
|
|
binder_call(update_engine, system_server)
|
|
|
|
|
2016-05-25 06:07:48 +02:00
|
|
|
# Read OTA zip file at /data/ota_package/.
|
|
|
|
allow update_engine ota_package_file:file r_file_perms;
|
|
|
|
allow update_engine ota_package_file:dir r_dir_perms;
|
2016-11-19 03:44:07 +01:00
|
|
|
|
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
|
|
|
# Use Boot Control HAL
|
|
|
|
hal_client_domain(update_engine, hal_bootctl)
|
2017-10-04 01:09:08 +02:00
|
|
|
|
/proc, /sys access from uncrypt, update_engine, postinstall_dexopt
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-04 19:34:11 +02:00
|
|
|
# access /proc/misc
|
2017-10-04 01:09:08 +02:00
|
|
|
allow update_engine proc_misc:file r_file_perms;
|
|
|
|
|
|
|
|
# read directories on /system and /vendor
|
|
|
|
allow update_engine system_file:dir r_dir_perms;
|
2019-08-07 22:01:15 +02:00
|
|
|
|
2019-08-15 00:49:00 +02:00
|
|
|
# update_engine tries to determine the parent path for all devices (e.g.
|
|
|
|
# /dev/block/by-name) by reading the default fstab and looking for the misc
|
|
|
|
# device. ReadDefaultFstab() checks whether a GSI is running by checking
|
|
|
|
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
|
|
|
|
# the access.
|
|
|
|
dontaudit update_engine gsi_metadata_file:dir search;
|
2020-02-05 01:37:52 +01:00
|
|
|
|
|
|
|
# Allow to write to snapshotctl_log logs.
|
|
|
|
# TODO(b/148818798) revert when parent bug is fixed.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
|
|
|
|
allow update_engine snapshotctl_log_data_file:file create_file_perms;
|
|
|
|
')
|