Allow gsid to read from FIFO
`gsid` may receive a FIFO if invoked via `gsi_tool`. For the `su root` case, allow `gsid` to read `shell` FIFO. For the `adb root` case, allow `gsid` to read `su` FIFO. Move `gsi_tool` related allow rules to userdebug and eng build only, because these are development features that require root permission, thus shouldn't be shipped on a user build. Bug: 166589508 Test: adb unroot && gzip -c system.raw | adb shell "zcat | su root gsi_tool install ..." Test: adb root && gzip -c system.raw | adb shell "zcat | gsi_tool install ..." Change-Id: I779e4d49eb57240b1a5422139d7683dbac0da988
This commit is contained in:
Yo Chiang
parent
dab50ef0a3
commit
45fb38b8ec
1 changed files with 9 additions and 4 deletions
|
|
@ -69,10 +69,15 @@ allow gsid sdcard_block_device:blk_file r_file_perms;
|
|||
# requirement, but the kernel does not implement FIEMAP support for VFAT.
|
||||
allow gsid self:global_capability_class_set sys_rawio;
|
||||
|
||||
# gsi_tool passes the system image over the adb connection, via stdin.
|
||||
allow gsid adbd:fd use;
|
||||
# Needed when running gsi_tool through "su root" rather than adb root.
|
||||
allow gsid adbd:unix_stream_socket rw_socket_perms;
|
||||
# Allow rules for gsi_tool.
|
||||
userdebug_or_eng(`
|
||||
# gsi_tool passes the system image over the adb connection, via stdin.
|
||||
allow gsid adbd:fd use;
|
||||
# Needed when running gsi_tool through "su root" rather than adb root.
|
||||
allow gsid adbd:unix_stream_socket rw_socket_perms;
|
||||
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
|
||||
allow gsid { shell su }:fifo_file r_file_perms;
|
||||
')
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
|||
Loading…
Reference in a new issue