tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/update_engine.te

78 lines
3 KiB
Text
Raw Normal View History

Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Domain for update_engine daemon.
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 22:19:03 +02:00
type update_engine, domain, update_engine_common;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
type update_engine_exec, system_file_type, exec_type, file_type;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
net_domain(update_engine);
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow update_engine self:global_capability_class_set { fowner sys_admin };
Do not audit the fsetid capability for update engine There's a selinux denial for update_engine after go/aog/530462; the denial is likely due to the setgid bit of the update_engine_log_data_file. Message: 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 Bug: 69197466 Test: denial message gone on sailfish. Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf
2017-11-12 23:38:03 +01:00
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
dontaudit update_engine self:global_capability_class_set fsetid;
Do not audit the fsetid capability for update engine There's a selinux denial for update_engine after go/aog/530462; the denial is likely due to the setgid bit of the update_engine_log_data_file. Message: 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:4): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 11-11 02:07:54.843 870 870 I auditd : type=1400 audit(0.0:5): avc: denied { fsetid } for comm="update_engine" capability=4 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 Bug: 69197466 Test: denial message gone on sailfish. Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf
2017-11-12 23:38:03 +01:00
Allow to getattr kmsg_device These denials occur on boot when android_get_control_file also changes from readlink() to realpath(), because realpath() will lstat() the given path. Some other domains (fastbootd, update_engine, etc.) also uses libcutils to write to kernel log, where android_get_control_file() is invoked, hence getattr is added to them as well. 04-28 06:15:22.290 618 618 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 03-20 19:52:23.431 900 900 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ... 03-20 22:40:42.316 1 1 W init : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Test: no denials related to these Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-20 23:36:26 +01:00
allow update_engine kmsg_device:chr_file { getattr w_file_perms };
Add bspatch to update_engine_exec. This allow bspatch to have same perssion as update_engine. Also added a rule to allow update_engine to execute bspatch. Bug: 24478450 Test: No more permission deny during delta update. Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4
2015-11-21 01:09:14 +01:00
allow update_engine update_engine_exec:file rx_file_perms;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
wakelock_use(update_engine);
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-02 01:14:45 +01:00
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
sepolicy: Fix references to self:capability commit 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 added a new self:global_capability_class_set macro that covers both self:capability and self:cap_userns. Apply the new macro to various self:capability references that have cropped up since then. Bug: 112307595 Test: policy diff shows new rules are all cap_userns Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-15 21:34:20 +02:00
dontaudit update_engine self:global_capability_class_set sys_rawio;
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-02 01:14:45 +01:00
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Allow using persistent storage in /data/misc/update_engine.
Allow update_engine to access /data/misc/update_engine_log Add label update_engine_log_data_file for log files created by update engine in directory /data/misc/update_engine_log. Bug: 65568605 Test: manual Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9
2017-11-06 12:56:00 +01:00
allow update_engine update_engine_data_file:dir create_dir_perms;
allow update_engine update_engine_data_file:file create_file_perms;
# Allow using persistent storage in /data/misc/update_engine_log.
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
Move update_engine policy to AOSP. The update_engine daemon from Brillo is expected to be used also in Android so move its selinux policy to AOSP. Put update_engine in the whitelist (currently only has the recovery there) allowing it to bypass the notallow for writing to partititions labeled as system_block_device. Also introduce the misc_block_device dev_type as update_engine in some configurations may need to read/write the misc partition. Start migrating uncrypt to use this instead of overly broad block_device:blk_file access. Bug: 23186405 Test: Manually tested with Brillo build. Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
2015-10-05 23:04:39 +02:00
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-26 01:41:03 +01:00
# Register the service to perform Binder IPC.
binder_use(update_engine)
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 22:23:52 +01:00
add_service(update_engine, update_engine_service)
Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-26 01:41:03 +01:00
Audit binder_call rule for priv_app in update_engine.te We've moved GMS core to its own domain, and this permission should no longer be applied to the broader priv_app domain. Before we delete the rule, we are auditing it to see if any other privapps need it. Bug: 142672293 Test: TH Change-Id: I29c29739f4c3caf5d24361b69adc584047da0ef0
2019-12-03 23:02:57 +01:00
# Allow update_engine to call the callback function provided by priv_app/GMS core.
Allow update_engine to use Binder IPC. Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
2016-01-26 01:41:03 +01:00
binder_call(update_engine, priv_app)
Audit binder_call rule for priv_app in update_engine.te We've moved GMS core to its own domain, and this permission should no longer be applied to the broader priv_app domain. Before we delete the rule, we are auditing it to see if any other privapps need it. Bug: 142672293 Test: TH Change-Id: I29c29739f4c3caf5d24361b69adc584047da0ef0
2019-12-03 23:02:57 +01:00
# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow update_engine priv_app:binder { call transfer };
auditallow priv_app update_engine:binder transfer;
auditallow update_engine priv_app:fd use;
')
Allow update_engine to call gmscore_app We need this permission now that GMS core runs in its own domain and not in the priv_app domain. Bug: 145379440 Bug: 142672293 Test: TH Change-Id: Idc4bf6863ba767d287c218c07d0eb5aebbe50f91
2019-12-03 20:13:51 +01:00
binder_call(update_engine, gmscore_app)
Add ota_package_file label for OTA packages. (cherry picked from commit 6c3f2831aca571ec3b01f60996965a432aa8164d) Allow priv_app, uncrypt, update_engine to access the OTA packages at /data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks the existence of the folder, and downloads the package there if present. Bug: 28944800 Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
2016-05-25 06:07:48 +02:00
SELinux policy for new managed system update APIs We introduced a new API to allow Device Owner to install an OTA file on disk. This in turn requires system_server to be able to copy the OTA file to a known OTA file location, call into update_engine to start the installation and let update_engine to call back to the system_server to deliver any error conditions asynchronously. This CL modifies the SELinux policy to allow these interaction. Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79 Bug: 111173669
2018-11-21 19:10:54 +01:00
# Allow update_engine to call the callback function provided by system_server.
binder_call(update_engine, system_server)
Add ota_package_file label for OTA packages. (cherry picked from commit 6c3f2831aca571ec3b01f60996965a432aa8164d) Allow priv_app, uncrypt, update_engine to access the OTA packages at /data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks the existence of the folder, and downloads the package there if present. Bug: 28944800 Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5
2016-05-25 06:07:48 +02:00
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
Add permissions for hal_boot The service running the boot control HAL needs the permissions provided by the boot_control_hal attribute. update_engine and update_verifier still also need these permissions in order to successfully call the new HAL in pass-through mode, but also need permission to call the new service. Bug: 31864052 Test: Built and confirmed no permission denials. Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911 Signed-off-by: Connor O'Brien <connoro@google.com>
2016-11-19 03:44:07 +01:00
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
Move update_engine rules out of update_engine_common.te Grant update_engine access to sysfs. Ran fake ota go/manual-ab-ota, and this denial was fixed: avc: denied { read } for pid=912 comm="update_engine" name="compatible" dev="sysfs" ino=17399 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Test: boots with no new denials Change-Id: I8697da3af254aea1cec44d9dbb1eca18be31859c
2017-10-04 01:09:08 +02:00
/proc, /sys access from uncrypt, update_engine, postinstall_dexopt New types: 1. proc_random 2. sysfs_dt_firmware_android Labeled: 1. /proc/sys/kernel/random as proc_random. 2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab, vbmeta} as sysfs_dt_firmware_android. Changed access: 1. uncrypt, update_engine, postinstall_dexopt have access to generic proc and sysfs labels removed. 2. appropriate permissions were added to uncrypt, update_engine, update_engine_common, postinstall_dexopt. Bug: 67416435 Bug: 67416336 Test: fake ota go/manual-ab-ota runs without denials Test: adb sideload runs without denials to new types Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-04 19:34:11 +02:00
# access /proc/misc
Move update_engine rules out of update_engine_common.te Grant update_engine access to sysfs. Ran fake ota go/manual-ab-ota, and this denial was fixed: avc: denied { read } for pid=912 comm="update_engine" name="compatible" dev="sysfs" ino=17399 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Test: boots with no new denials Change-Id: I8697da3af254aea1cec44d9dbb1eca18be31859c
2017-10-04 01:09:08 +02:00
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
update_engine: rules to apply virtual A/B OTA - /data/gsi/ota/* now has the type ota_image_data_file. At runtime during an OTA, update_engine uses libsnapshot to talk to gsid to create these images as a backing storage of snapshots. These "COW images" stores the changes update_engine has applied to the partitions. If the update is successful, these changes will be merged to the partitions, and these images will be teared down. If the update fails, these images will be deleted after rolling back to the previous slot. - /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime during an OTA, update_engine and gsid stores update states and information of the created snapshots there. At next boot, init reads these files to re-create the snapshots. Beside these assignments, this CL also allows gsid and update_engine to have the these permissions to do these operations. Bug: 135752105 Test: apply OTA, no failure Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
2019-08-07 22:01:15 +02:00
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
dontaudit update_engine access to gsi_metadata_file. update_engine tries to determine the parent path for all devices (e.g. /dev/block/by-name) by reading the default fstab and looking for the misc device. ReadDefaultFstab() checks whether a GSI is running by checking gsi_metadata_file. We never apply OTAs when GSI is running, so just deny the access. Test: no selinux denials Fixes: 139283697 Change-Id: I3cba28ccb6871b328ab697a4a8f3476ac72f7bed
2019-08-15 00:49:00 +02:00
Add a new context for property ota.warm_reset The property is set to inform kernel to do a warm_reset on the next reboot. This is useful to persist the logs to debug device boot failures. More details in http://go/rvc-ota-persist-logs. The property is set to 1 by update_engine after an OTA. And it's set to 0 by update_verifier or vold after we mark the current slot boot successful. The property is read by vendor_init. And according to its value, vendor_init writes a particular sysfs file to schedule a warm reset on the following reboot. Without the new context, the denial message says: [ 13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0' [ 23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed [ 23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0' [ 23.108430] update_verifier: Failed to reset the warm reset flag Bug: 143489994 Test: check the property can be set by update_engine, and read by vendor_init Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484
2019-11-14 23:18:40 +01:00
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
dontaudit update_engine access to gsi_metadata_file. update_engine tries to determine the parent path for all devices (e.g. /dev/block/by-name) by reading the default fstab and looking for the misc device. ReadDefaultFstab() checks whether a GSI is running by checking gsi_metadata_file. We never apply OTAs when GSI is running, so just deny the access. Test: no selinux denials Fixes: 139283697 Change-Id: I3cba28ccb6871b328ab697a4a8f3476ac72f7bed
2019-08-15 00:49:00 +02:00
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
Reference in a new issue Copy permalink