This lets update_verifier call supportsCheckpoint to defer marking the
boot as successful when we may end up failing before we would commit
the checkpoint. In this case, we will mark the boot as successful just
before committing the checkpoint.
Test: Check that marking the boot as succesful was deferred in
update_verifier, and done later on.
Change-Id: I9b4f3dd607ff5301860e78f4604b600b4ee416b7
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
Currently update_verifier only verifies the blocks when dm-verity is in
'enforcing' mode; and dm-verity will reboot the device upon detection of
errors. However, sometimes the verity mode is not guaranteed to be
correct. When mode is 'eio' for example, dm-verity will not trigger
a reboot but rather fail the read. So update_verifier need to take the
responsibility to reboot the device. Otherwise the device will continue
to boot without setting the flag "isSlotMarkedSuccessful".
Denial message:
update_verifier: type=1400 audit(0.0:18): avc: denied { write } for
name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
Bug: 36260064
Test: powerctl property sets successfully
Change-Id: I7431f87e2d61be1425397732aebb369d4ad4c26c
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
Allow update_verifier to load the boot_control_hal in passthrough mode.
Test: update_verifier works, no denials
Bug: 34656553
Change-Id: I5c20ce67c8f1fd195f2429dae497221514ed95a8
The service running the boot control HAL needs the permissions
provided by the boot_control_hal attribute. update_engine and
update_verifier still also need these permissions in order
to successfully call the new HAL in pass-through mode, but also
need permission to call the new service.
Bug: 31864052
Test: Built and confirmed no permission denials.
Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911
Signed-off-by: Connor O'Brien <connoro@google.com>
Grant boot_control_hal permissions to the hal_boot service;
update_engine and update_verifier can call that service rather
than using those permissions themselves.
Bug: 31864052
Test: `bootctl set-active-boot-slot 1`
Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c