tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/snapshotctl.te
Jiakai Zhang b9cf68a2f5 Add rules for snapshotctl map/unmap. 
This change adds rules for system properties "sys.snapshotctl.map" and
"sys.snapshotctl.unmap", for controlling snapshotctl.

This change also adds the missing rules for snapshotctl to perform its
job. Initially, the rules for snapshotctl were added by
http://r.android.com/1126904, for running snapshotctl through init
(http://r.android.com/1123645). However, the trigger was then removed by
http://r.android.com/1239286. Since then, snapshotctl can be only run by
the root shell, in which case it is run in the "su" domain, so the rules
are not tested and therefore get stale over time. To make snapshotctl
function properly when run by init, we need to add the missing rules.

Bug: 311377497
Test: adb shell setprop sys.snapshotctl.map requested
Test: adb shell setprop sys.snapshotctl.unmap requested
Change-Id: I304be6e1825a6768f757d74b3365c4d759b9d07e
2024-03-11 11:18:50 +00:00

64 lines
2.1 KiB
Text
Raw Blame History

type snapshotctl, domain, coredomain;
type snapshotctl_exec, system_file_type, exec_type, file_type;
# Allow init to run snapshotctl and do auto domain transfer.
init_daemon_domain(snapshotctl);
# Allow to start gsid service.
set_prop(snapshotctl, ctl_gsid_prop)
# Allow to talk to gsid.
binder_use(snapshotctl)
allow snapshotctl gsi_service:service_manager find;
binder_call(snapshotctl, gsid)
# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
allow snapshotctl metadata_file:dir search;
allow snapshotctl ota_metadata_file:dir rw_dir_perms;
allow snapshotctl ota_metadata_file:file create_file_perms;
# Allow to get A/B slot suffix from device tree or kernel cmdline.
r_dir_file(snapshotctl, sysfs_dt_firmware_android);
allow snapshotctl proc_cmdline:file r_file_perms;
# Needed to (re-)map logical partitions.
allow snapshotctl block_device:dir r_dir_perms;
allow snapshotctl super_block_device:blk_file r_file_perms;
# Interact with device-mapper to collapse snapshots.
allow snapshotctl dm_device:chr_file rw_file_perms;
# Needed to mutate device-mapper nodes.
allow snapshotctl self:global_capability_class_set sys_admin;
# Snapshotctl talk to boot control HAL to set merge status.
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
# Allow snapshotctl to write to statsd socket.
unix_socket_send(snapshotctl, statsdw, statsd)
# Logging
userdebug_or_eng(`
allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
')
# Allow to read /proc/bootconfig.
allow snapshotctl proc_bootconfig:file r_file_perms;
# Allow to control snapuserd.
set_prop(snapshotctl, ctl_snapuserd_prop)
# Allow to read snapuserd.* properties.
get_prop(snapshotctl, snapuserd_prop)
# Allow to talk to snapuserd.
allow snapshotctl snapuserd_socket:sock_file write;
allow snapshotctl snapuserd:unix_stream_socket { connectto };
# Allow to read /dev/block/dm-* (device-mapper) nodes.
allow snapshotctl dm_device:blk_file r_file_perms;
# Allow to read dm-user control nodes.
allow snapshotctl dm_user_device:dir search;
Reference in a new issue View git blame Copy permalink