Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
This commit is contained in:
David Anderson
parent
5d6020d9f5
commit
09bb944221
10 changed files with 24 additions and 6 deletions
|
|
@ -9,6 +9,7 @@
|
|||
adbd_config_prop
|
||||
apex_info_file
|
||||
cgroup_v2
|
||||
ctl_snapuserd_prop
|
||||
debugfs_kprobes
|
||||
device_config_profcollect_native_boot_prop
|
||||
device_state_service
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@
|
|||
/dev/console u:object_r:console_device:s0
|
||||
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
|
||||
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
|
||||
/dev/dm-user/.+ u:object_r:dm_user_device:s0
|
||||
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
|
||||
/dev/device-mapper u:object_r:dm_device:s0
|
||||
/dev/eac u:object_r:audio_device:s0
|
||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# Properties used only in /system
|
||||
system_internal_prop(adbd_prop)
|
||||
system_internal_prop(ctl_snapuserd_prop)
|
||||
system_internal_prop(device_config_profcollect_native_boot_prop)
|
||||
system_internal_prop(device_config_storage_native_boot_prop)
|
||||
system_internal_prop(device_config_sys_traced_prop)
|
||||
|
|
|
|||
|
|
@ -172,6 +172,11 @@ ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
|
|||
# Restrict access to restart dumpstate
|
||||
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
|
||||
|
||||
# Restrict access to control snapuserd
|
||||
ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
|
||||
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
|
||||
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
|
||||
|
||||
# NFC properties
|
||||
nfc. u:object_r:nfc_prop:s0
|
||||
|
||||
|
|
|
|||
|
|
@ -127,6 +127,7 @@ set_prop(shell, heapprofd_enabled_prop)
|
|||
set_prop(shell, traced_perf_enabled_prop)
|
||||
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
|
||||
set_prop(shell, ctl_gsid_prop)
|
||||
set_prop(shell, ctl_snapuserd_prop)
|
||||
# Allow shell to enable Dynamic System Update
|
||||
set_prop(shell, dynamic_system_prop)
|
||||
# Allow shell to mock an OTA using persist.pm.mock-upgrade
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
|
||||
type snapuserd, domain;
|
||||
type snapuserd_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
typeattribute snapuserd coredomain;
|
||||
|
||||
|
|
@ -12,4 +14,5 @@ allow snapuserd dm_device:chr_file rw_file_perms;
|
|||
allow snapuserd dm_device:blk_file rw_file_perms;
|
||||
|
||||
# Reading and writing to dm-user control nodes.
|
||||
allow snapuserd dm_user_device:dir r_dir_perms;
|
||||
allow snapuserd dm_user_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,9 @@ binder_call(update_engine, gsid)
|
|||
# Allow to start gsid service.
|
||||
set_prop(update_engine, ctl_gsid_prop)
|
||||
|
||||
# Allow to start snapuserd for dm-user communication.
|
||||
set_prop(update_engine, ctl_snapuserd_prop)
|
||||
|
||||
# Allow to set the OTA related properties, e.g. ota.warm_reset.
|
||||
set_prop(update_engine, ota_prop)
|
||||
|
||||
|
|
@ -17,3 +20,7 @@ get_prop(update_engine, gsid_prop)
|
|||
|
||||
# Allow update_engine to call the callback function provided by GKI update hook.
|
||||
binder_call(update_engine, gki_apex_prepostinstall)
|
||||
|
||||
# Allow to communicate with the snapuserd service, for dm-user snapshots.
|
||||
allow update_engine snapuserd:unix_stream_socket connectto;
|
||||
allow update_engine snapuserd_socket:sock_file write;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ allow init property_info:file relabelto;
|
|||
allow init device:file relabelfrom;
|
||||
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
||||
# /dev/socket
|
||||
allow init { device socket_device }:dir relabelto;
|
||||
allow init { device socket_device dm_user_device }:dir relabelto;
|
||||
# allow init to establish connection and communicate with lmkd
|
||||
unix_socket_connect(init, lmkd, lmkd)
|
||||
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
|
||||
|
||||
type snapuserd, domain;
|
||||
type snapuserd_exec, exec_type, file_type, system_file_type;
|
||||
|
|
@ -65,6 +65,10 @@ allow update_engine_common dm_device:chr_file rw_file_perms;
|
|||
# apply / verify updates on devices mapped via device mapper
|
||||
allow update_engine_common dm_device:blk_file rw_file_perms;
|
||||
|
||||
# read /dev/dm-user, so that we can inotify wait for control devices to be
|
||||
# asynchronously created by ueventd.
|
||||
allow update_engine dm_user_device:dir r_dir_perms;
|
||||
|
||||
# read / write metadata on super device to resize partitions
|
||||
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue