Merge "Allow gsid to create and access loop devices."

am: 23ba03fc8d Change-Id: Ifef169b3a5b256daec51ffe3ed4b7bf452e00d39
2019-07-19 12:45:52 -07:00 · 2019-07-19 12:45:52 -07:00 · ec5bf1a250
commit ec5bf1a250
parent af9b6fc10b 23ba03fc8d
1 changed files with 15 additions and 1 deletions
--- a/private/gsid.te
+++ b/private/gsid.te
@ -17,6 +17,20 @@ allow gsid dm_device:blk_file rw_file_perms;
 allow gsid self:global_capability_class_set sys_admin;
 dontaudit gsid self:global_capability_class_set dac_override;

+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+  LOOP_GET_STATUS64
+  LOOP_SET_STATUS64
+  LOOP_SET_FD
+  LOOP_SET_BLOCK_SIZE
+  LOOP_SET_DIRECT_IO
+  LOOP_CLR_FD
+  BLKFLSBUF
+};
+
 # libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
 # This requires traversing /sys/block/dm-N/slaves/* and reading the list of
 # file names.
@ -83,7 +97,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
 #   booted         - An empty file that, if exists, indicates that a GSI is
 #                    currently running.
 #
-allow gsid metadata_file:dir search;
+allow gsid metadata_file:dir { search getattr };
 allow gsid gsi_metadata_file:dir rw_dir_perms;
 allow gsid gsi_metadata_file:file create_file_perms;