Commit graph

31 commits

Author SHA1 Message Date
Sandeep Dhavale
f0ea953e60 Fastboot AIDL Sepolicy changes
Bug: 205760652
Test: Build & flash
Change-Id: I2709c5cc2ca859481aac6fecbc99fe30a52a668b
Signed-off-by: Sandeep Dhavale <dhavale@google.com>
2022-11-09 22:21:27 +00:00
David Anderson
9a33615580 Allow fastbootd to execute dmesg in userdebug builds.
This enables users to run "fastboot getvar dmesg" which is important to
debugging flashing failures in automation. The command is only allowed on
unlocked devices running userdebug builds.

Bug: 230269532
Test: fastboot getvar dmesg
Change-Id: Ia27268fd984f903ca73e69b5717f4206a3cf1ae9
2022-06-21 18:01:52 -07:00
Yifan Hong
adc0f709b6 recovery/fastbootd: allow to talk to health HAL.
- Allow to use binder.
- Allow to talk to health HAL.

Test: manual in recovery
Test: fastboot getvar battery-voltage
Bug: 177269435
Change-Id: Ic3b1619ac34a10cb6007b8e011a01841343e9e8b
2021-12-07 16:22:53 -08:00
David Anderson
018004d9d1 Allow fastbootd to mount /metadata in recovery.
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.

Fixes:

        audit: type=1400 audit(7258310.023:24): avc:  denied  { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
2021-05-05 16:37:56 -07:00
Yi-Yo Chiang
806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00
Yifan Hong
cda79266ab fastbootd: allow to fetch vendor_boot partition.
vendor_boot is labeled as boot_block_device. With
fastboot fetch command, fastbootd needs to read
the vendor_boot device and return it to the host.

Test: pass
Bug: 173654501
Change-Id: I197e39c9e7572dc9a714f36637c02ee9ead2e5f3
2021-03-11 12:47:04 -08:00
David Anderson
8d0e599fb4 Merge "fastbootd: Allow flashing the cache partition." 2020-03-27 23:48:13 +00:00
David Anderson
91f28e0c2c fastbootd: Allow flashing the cache partition.
This fixes the following denial:
  avc:  denied  { write } for  pid=332 comm="fastbootd" name="mmcblk0p35" dev="tmpfs" ino=11234 scontext=u:r:fastbootd:s0 tcontext=u:object_r:cache_block_device:s0 tclass=blk_file permissive=0
  avc:  denied  { ioctl } for  pid=294 comm="fastbootd" path="/dev/block/mmcblk0p35" dev="tmpfs" ino=6953 ioctlcmd=0x1277 scontext=u:r:fastbootd:s0 tcontext=u:object_r:cache_block_device:s0 tclass=blk_file permissive=0

Bug: 150112538
Test: fastboot flash cache on non-A/B device
Test: fastboot erase cache on non-A/B device
Change-Id: Ib2288b42f2bb47e83b1476319669d6c2719db2ec
2020-03-25 20:58:40 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Yifan Hong
75a880bda8 Allow fastbootd to read virtual_ab_prop
It needs to know whether B partitions should be allocated
at the second half of super.

Test: flash and see serial output
Fixes: 147363527
Change-Id: I58c57befa3ee3569c911cbdf506e919fe1d0bae4
2020-01-24 20:21:24 -08:00
David Anderson
11a741961a Give fastbootd permission to mount and write to /metadata/gsi.
This is needed to check for the presence of certain bits, like,
snapshots, a scratch partition, or a DSU installation, as well as to
create status files (which libfiemap uses to track state).

Bug: 134949511
Test: adb remount; fastboot flash system
Change-Id: I50c10647a5793e4c0f35c3dd32de0bc036921914
2019-12-18 15:08:24 -08:00
David Anderson
b45bbe2e55 Allow recovery and fastbootd to interact with libfiemap.
In normal Android, libsnapshot interacts with libfiemap over binder (via
IGsid). There is no binder in recovery, so instead, we directly link to
the library and therefore need appropriate sepolicy changes.

Bug: 139154945
Test: no denials in recovery or fastbootd
Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
2019-11-13 18:46:57 -08:00
David Anderson
483e70bd2a Allow fastbootd and update_engine to read from sysfs_dm.
Bug: 135771280
Test: device flashes, boots
Change-Id: I07816b94566d9da6e7831e29c69dbd06a09bbef8
2019-07-08 12:20:58 -07:00
Yifan Hong
ab85caaa56 super_block_device -> super_block_device_type
Domains that access super_block_device should instead
access super_block_device_type, which includes appropriate
block devices for retrofit DAP devices.

Test: boots (sanity)
Test: manual OTA
Bug: 128991918
Change-Id: Ie025b1e3c17e82330042aaa4a3e2e4a02ec1265b
2019-03-28 18:08:19 +00:00
Yifan Hong
5d89abde99 Allow to getattr kmsg_device
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.

Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.

04-28 06:15:22.290   618   618 I auditd  : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431   900   900 I auditd  : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316     1     1 W init    : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-25 10:14:20 -07:00
Mark Salyzyn
86f0e54dfa fastboot: fs_mgr: overlay: suppress noise
Suppress noise associated with test mounting scratch partition.

Add internal fs_mgr_is_ext4 and fs_mgr_is_f2fs to get heads up on
mount failures and thus bypass trying.  Resolve all the avc
complaints associated with overlay handling including these new
operations.

Test: adb-remount-test.sh
Bug: 109821005
Change-Id: Ieb1f8c19ced930b6fe2d1791ef710ce528da7e37
2019-03-15 13:25:11 -07:00
Hridya Valsaraju
1912daf6a9 Fastbootd must be able to erase logical partitions
This CL adds permissions to allow fastbootd to erase
logical partitions.

[   33.423370] c5    587 audit: type=1400 audit(2073228.303:11): avc:  denied  { ioctl } for
pid=587 comm="fastbootd" path="/dev/block/dm-0" dev="tmpfs" ino=25433 ioctlcmd=0x127d
scontext=u:r:fastbootd:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0^M
[   33.446927] c5    587 audit: type=1400 audit(2073228.326:12): avc:  denied  { ioctl }
for  pid=587 comm="fastbootd" path="/dev/block/dm-0" dev="tmpfs" ino=25433 ioctlcmd=0x1277
scontext=u:r:fastbootd:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0^M

Test: fastboot erase system
Bug: 125391557

Change-Id: I0c99db123ed5357ceb7e16e192042e8e044e3557
2019-02-21 12:36:28 -08:00
Hridya Valsaraju
e6c36ef12f Add permissions required for flashing
These are required to handle the following denials:

audit: type=1400 audit(96805.060:7): avc:  denied  { sys_admin } for
pid=517 comm="fastbootd" capability=21  scontext=u:r:fastbootd:s0 tcontext=u:r:fastbootd:s0
tclass=capability permissive=0␍␊

[14:14:36:606] [   11.196190] audit: type=1400 audit(103042.976:10): avc:  denied  { read } for
pid=520 comm="fastbootd" name="by-name" dev="tmpfs" ino=18500 scontext=u:r:fastbootd:s0
tcontext=u:object_r:block_device:s0 tclass=dir permissive=1

Test: fastboot flashall
Bug: 124410201
Change-Id: I80041a78a5b6df09c6526be6a4066eb771887265
2019-02-15 14:45:18 -08:00
David Anderson
db90b91ea0 Full sepolicy for gsid.
Bug: 122556707
Test: manual test
Change-Id: I2536deefb3aa75deee4aeae7df074349b705b0f0
2019-02-08 05:56:58 +00:00
Hridya Valsaraju
44f3d0f097 Add a few permissions required by fastbootd
These address the following denials:

avc: denied { getattr } for pid=547 comm="fastbootd"
path="/dev/block" dev="tmpfs" ino=18532 scontext=u:r:fastbootd:s0
tcontext=u:object_r:block_device:s0 tclass=dir permissive=1␍

avc: denied { read } for pid=547 comm="fastbootd" name="fstab"
dev="sysfs" ino=25820 scontext=u:r:fastbootd:s0
tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir permissive=1␍␊

avc: denied { open } for pid=547 comm="fastbootd"
path="/sys/firmware/devicetree/base/firmware/android/fstab" dev="sysfs"]
ino=25820 scontext=u:r:fastbootd:s0
tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir permissive=1

Bug: 119115481
Test: fastboot flashall
Change-Id: I97dc783ceef396145e3baa5d79194560fc0634f7
2018-12-11 11:18:32 -08:00
Mark Salyzyn
33442f57e7 fastboot: /mnt/scratch refined access on userdebug
Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.

Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
2018-11-01 14:57:01 +00:00
David Anderson
bf0bf05a0c Allow BLKIOMIN and BLKALIGNOFF ioctls to the super device in fastbootd.
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Bug: 116802789
Test: fastboot flashall
Change-Id: I38282904828105cf5f16ce9d4b5884d2b0e89d38
2018-10-30 15:44:03 -07:00
Nick Kralevich
392ac0fd53 fastbootd.te: Delete allowxperm statement
system/sepolicy commit 4c8eaba75a, reviewed in
https://android-review.googlesource.com/c/platform/system/sepolicy/+/793958
started enforcing explicit ioctl permission checks for all block device
files. As part of that commit, the following lines were added to
domain.te:

  # If a domain has access to perform an ioctl on a block device, allow these
  # very common, benign ioctls
  allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };

In essence, if a domain is granted ioctl access to any device in
policy (for example, via adding "ioctl" to the allow rule, or by using
the macro "r_file_perms" which includes the ioctl permission), then the
two ioctls BLKGETSIZE64 and BLKSSZGET will be automatically allowed. As
such, it is redundent for a domain to explicitly request these two
ioctls.

Delete the now redundant allowxperm rule.

Test: policy compiles
Change-Id: I1964ed93a7c7601393cc9e2416f3640ea22db51b
2018-10-22 10:01:10 -07:00
Hridya Valsaraju
2e645853ce Allow fastbootd to read endpoint descriptor for fastboot usb device
Test: fastboot flashall
Bug: 78793464
Change-Id: I8e1e982e3a9e356738944df5bfa1e802794a6a25
2018-10-12 13:33:42 -07:00
Hridya Valsaraju
073efc34e7 Allow fastbootd to wipe metadata.
Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa
2018-09-13 17:55:28 +00:00
Hridya Valsaraju
e9fcce5642 Fastbootd does not require read access to system and boot partitions
Bug: 78793464
Test: fastboot flashall

Change-Id: I5b65b818dc43a01f90a38202e3a1b810fef70ca8
2018-09-07 00:09:34 +00:00
Hridya Valsaraju
f97026db4a Allow fastbootd to wipe userdata.
This is needed for flashall -w to wipe userdata.
Bug: 113648914
Test: fastboot erase userdata

Change-Id: I7e89cf885c9a67c78de67b79ed16af7e50104bf7
2018-09-05 13:40:30 -07:00
Hridya Valsaraju
4ae8fe9b84 Define 'super_block_device' type
Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea
2018-08-20 10:55:03 -07:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
2018-08-15 09:38:40 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
2018-08-14 20:21:36 +00:00