Commit graph

10 commits

Author SHA1 Message Date
Kelvin Zhang
aa3ac9fafd Fix io_uring permission denial for snapuserd
Starting with
91a9ab7c94
, calling io_uring_setup will need selinux permission to create anon
inodes.

Test: th
Bug: 244785938

Change-Id: I351983fefabe0f6fdaf9272506ea9dd24bc083a9
2022-09-06 17:11:54 +00:00
Akilesh Kailash
5c5fd255d2 New property to control Async I/O for snapuserd
io_uring_setup() system call requires ipc_lock.

(avc: denied { ipc_lock } for comm="snapuserd" capability=14 scontext=u:r:snapuserd:s0 tcontext=u:r:snapuserd:s0 tclass=capability permissive=0)

Add selinux policy.

Bug: 202784286
Test: OTA tests
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I806714c7ade0a5d4821b061396c9f064ee5ed8b6
2022-01-13 06:27:46 +00:00
Akilesh Kailash
8a9ec2a496 New property to control virtual a/b user-space snapshots
Bug: 193863443
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I89e5d105071c2529c9ceb661c04588ff88ffdd76
2021-11-19 23:35:32 +00:00
David Anderson
f855bc1231 Merge "Allow snapuserd to inotify watch /dev/socket." 2021-08-05 16:40:57 +00:00
David Anderson
136b4ea873 Allow snapuserd to inotify watch /dev/socket.
snapuserd uses an inotify watch to detect when /dev/socket/snapuserd has
been created.

Bug: N/A
Test: no denials after applying OTA on cuttlefish
Change-Id: I2ca16aee84ce7648bceea5c5de32a561b932f528
2021-08-04 19:26:37 -07:00
Akilesh Kailash
8494fbe048 snapuserd: Add selinux policy
Add selinux policy to allow snapuserd to search
through /dev/block/ and read /sys/block directory.

Bug: 193863442
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I656aee69f4c07ed7caeb1c3c14e44e1a25bd1ba1
2021-08-04 08:40:50 +00:00
David Anderson
bf5b6ce422 Add new snapuserd socket and property rules.
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).

This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.

Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
2021-07-27 10:50:59 -07:00
David Anderson
f4cba7eed5 Add a kernel transition to snapuserd.
The initial launch of snapuserd happens in first-stage init, before
sepolicy is loaded, since snapuserd is needed to mount initial
partitions. After sepolicy is loaded, we immediately re-launch snapuserd
in the correct context. This requires a transition similar to init.

The "allow" lines for the kernel happen in permissive mode, since we
need to relabel critical parts of /dev/block in order to re-launch
snapuserd.

Bug: 173476209
Test: OTA applies with ro.virtual_ab.compression.enabled = true
Change-Id: I80184e737ccb558107a14b384a61f7fec31c9428
2020-12-14 23:48:08 -08:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00
David Anderson
fe30369efb Add sepolicy for dm-user devices and the snapuserd daemon.
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.

snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.

Bug: 168259959
Test: ctl.start snapuserd, no denials
      vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
2020-10-26 23:23:01 -07:00