Support TCP based fastbootd in recovery mode.

The IPv6 link-local address is used to avoid expose device to out of network segment. BUG: 152544169 BUG: 155198345 Test: manual test. Change-Id: I0ce8c12de9976c01e57a6433c7fb50235e907dc5 Merged-In: I0ce8c12de9976c01e57a6433c7fb50235e907dc5 Merged-In: I409aeccd31293bf0ae3be5b1dbafe5a74daaaa9d
2020-04-23 23:43:13 -07:00 · 2020-04-23 23:43:13 -07:00 · b79c462f1b
commit b79c462f1b
parent 148998495c
10 changed files with 44 additions and 0 deletions
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@ -44,6 +44,7 @@
    device_config_configuration_prop
    emergency_affordance_service
    exported_camera_prop
+    fastbootd_protocol_prop
    file_integrity_service
    fwk_automotive_display_hwservice
    gmscore_app
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@ -97,6 +97,9 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0

+# Fastbootd protocol control property
+fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
 # Boolean property set by system server upon boot indicating
 # if device is fully owned by organization instead of being
 # a personal device.
--- a/prebuilts/api/30.0/public/fastbootd.te
+++ b/prebuilts/api/30.0/public/fastbootd.te
@ -120,6 +120,14 @@ recovery_only(`
  # Determine allocation scheme (whether B partitions needs to be
  # at the second half of super.
  get_prop(fastbootd, virtual_ab_prop)
+
+  # Needed for TCP protocol
+  allow fastbootd node:tcp_socket node_bind;
+  allow fastbootd port:tcp_socket name_bind;
+  allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+  # Get fastbootd protocol property
+  get_prop(fastbootd, fastbootd_protocol_prop)
 ')

 ###
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@ -14,6 +14,7 @@ system_internal_prop(device_config_sys_traced_prop)
 system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
 system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_svc_debug_prop)
--- a/prebuilts/api/30.0/public/recovery.te
+++ b/prebuilts/api/30.0/public/recovery.te
@ -154,6 +154,15 @@ recovery_only(`

  # Allow mounting /metadata for writing update states
  allow recovery metadata_file:dir { getattr mounton };
+
+  # These are needed to allow recovery to manage network
+  allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+  allow recovery self:global_capability_class_set net_admin;
+  allow recovery self:tcp_socket { create ioctl };
+  allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+  # Set fastbootd protocol property
+  set_prop(recovery, fastbootd_protocol_prop)
 ')

 ###
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -44,6 +44,7 @@
    device_config_configuration_prop
    emergency_affordance_service
    exported_camera_prop
+    fastbootd_protocol_prop
    file_integrity_service
    fwk_automotive_display_hwservice
    gmscore_app
--- a/private/property_contexts
+++ b/private/property_contexts
@ -97,6 +97,9 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0

+# Fastbootd protocol control property
+fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
 # Boolean property set by system server upon boot indicating
 # if device is fully owned by organization instead of being
 # a personal device.
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@ -120,6 +120,14 @@ recovery_only(`
  # Determine allocation scheme (whether B partitions needs to be
  # at the second half of super.
  get_prop(fastbootd, virtual_ab_prop)
+
+  # Needed for TCP protocol
+  allow fastbootd node:tcp_socket node_bind;
+  allow fastbootd port:tcp_socket name_bind;
+  allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+  # Get fastbootd protocol property
+  get_prop(fastbootd, fastbootd_protocol_prop)
 ')

 ###
--- a/public/property.te
+++ b/public/property.te
@ -14,6 +14,7 @@ system_internal_prop(device_config_sys_traced_prop)
 system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
 system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_svc_debug_prop)
--- a/public/recovery.te
+++ b/public/recovery.te
@ -154,6 +154,15 @@ recovery_only(`

  # Allow mounting /metadata for writing update states
  allow recovery metadata_file:dir { getattr mounton };
+
+  # These are needed to allow recovery to manage network
+  allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+  allow recovery self:global_capability_class_set net_admin;
+  allow recovery self:tcp_socket { create ioctl };
+  allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+  # Set fastbootd protocol property
+  set_prop(recovery, fastbootd_protocol_prop)
 ')

 ###