Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.
Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
These neverallow rules have grown over the years, and there are now some
duplicated rules. For example,
neverallow scon tcon:tcls ~{ read };
really isn't doing anything due to the
neverallow scon tcon:tcls *;
banning every actions already.
Remove these rules to make them more manageable, and make the follow-up
changes simpler to review.
Bug: 181110285
Test: Build pass
Change-Id: I82f2bbb54436153507b451a61b3075f223522028
We're not doing anything special with device files, so no point
excluding them from the neverallow rules.
Principle of KISS.
Bug: 181110285
Test: Build pass
Change-Id: I0e203665aa2134579d97b580cb9301755edb62b1
Bug: 168571434
Test: 1. Install a DSU system.
2. Boot the DSU system and reboot back to the host system.
3. Wipe the DSU installation.
4. DSU metadata key dir /metadata/vold/metadata_encryption/dsu/dsu is
destroyed.
Change-Id: I229a02abb7bd1f070bb078bdaf89fb27cc4bfa47
`gsid` may receive a FIFO if invoked via `gsi_tool`.
For the `su root` case, allow `gsid` to read `shell` FIFO.
For the `adb root` case, allow `gsid` to read `su` FIFO.
Move `gsi_tool` related allow rules to userdebug and
eng build only, because these are development features
that require root permission, thus shouldn't be shipped
on a user build.
Bug: 166589508
Test: adb unroot && gzip -c system.raw | adb shell "zcat | su root gsi_tool install ..."
Test: adb root && gzip -c system.raw | adb shell "zcat | gsi_tool install ..."
Change-Id: I779e4d49eb57240b1a5422139d7683dbac0da988
gsid needs this to check if the underlying F2FS filesystem supports
file pinning.
Bug: 164988795
Test: Install a DSU package on CF
Test: avc denial goes away
Change-Id: Idc2456d7576cf61f6f891c082228c5143378d733
gsid needs access to /sys/fs/f2fs/<dev>/features to detect whether
pin_file support is enabled in the kernel.
Bug: 134949511
Test: libsnapshot_test gtest
Change-Id: I5c7ddba85c5649654097aa51285d7fa5c53f4702
In normal Android, libsnapshot interacts with libfiemap over binder (via
IGsid). There is no binder in recovery, so instead, we directly link to
the library and therefore need appropriate sepolicy changes.
Bug: 139154945
Test: no denials in recovery or fastbootd
Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
- /data/gsi/ota/* now has the type ota_image_data_file. At runtime
during an OTA, update_engine uses libsnapshot to talk to gsid
to create these images as a backing storage of snapshots. These
"COW images" stores the changes update_engine has applied to
the partitions.
If the update is successful, these changes will be merged to the
partitions, and these images will be teared down. If the update
fails, these images will be deleted after rolling back to the
previous slot.
- /metadata/gsi/ota/* now has the type ota_metadata_file. At runtime
during an OTA, update_engine and gsid stores update states and
information of the created snapshots there. At next boot, init
reads these files to re-create the snapshots.
Beside these assignments, this CL also allows gsid and update_engine
to have the these permissions to do these operations.
Bug: 135752105
Test: apply OTA, no failure
Change-Id: Ibd53cacb6b4ee569c33cffbc18b1b801b62265de
gsid creates loop devices when it cannot use device-mapper. This can
occur when images are split into multiple files (for example, FAT32) or
when a device is unencrypted, or FBE without metadata encryption. In
addition to accessing /dev/loop-control and loop devices, it also needs
LOOP_SET_DIRECT_IO and LOOP_SET_BLOCK_SIZE to optimize writes.
Bug: 134536978
Test: gsi_tool install works on crosshatch with metadata encryption
disabled
Change-Id: I3f0aee1d0757e4b299deee74a8c1077846d56292
This is needed now that libfiemap_writer reads from dm/name to find
device-mapper names.
Bug: 134536978
Test: gsi_tool install
Change-Id: I10e1234f2ea39c92b43ace97fa76878358dfc476
To install GSIs on external storage (such as sdcards), gsid needs some
additional privileges:
- proc_cmdline and device-tree access to call ReadDefaultFstab().
This is ultimately used to check whether system's dm-verity has
check_at_most_once enabled, which is disallowed with sdcards.
- vfat read/write access to write files to the sdcard. Note that
adopted sdcards are not supported here.
- read access to the sdcard block device. To enable this without
providing access to vold_block_device, a new sdcard_block_device
label was added. Devices must apply this label appropriately to
enable gsid access.
- FIBMAP access for VFAT filesystems, as they do not support FIEMAP.
This only appears to work by granting SYS_RAWIO.
Bug: 126230649
Test: adb shell su root gsi_tool install --install_dir=/mnt/media_rw/...
works without setenforce 0
Change-Id: I88d8d83e5f61d4c0490f912f226fe1fe38cd60ab
