b45bbe2e55
In normal Android, libsnapshot interacts with libfiemap over binder (via IGsid). There is no binder in recovery, so instead, we directly link to the library and therefore need appropriate sepolicy changes. Bug: 139154945 Test: no denials in recovery or fastbootd Change-Id: I356d7b5b906ac198e6f32c4d0cdd206c97faeb84
126 lines
4 KiB
Text
126 lines
4 KiB
Text
# fastbootd (used in recovery init.rc for /sbin/fastbootd)
|
|
|
|
# Declare the domain unconditionally so we can always reference it
|
|
# in neverallow rules.
|
|
type fastbootd, domain;
|
|
|
|
# But the allow rules are only included in the recovery policy.
|
|
# Otherwise fastbootd is only allowed the domain rules.
|
|
recovery_only(`
|
|
# fastbootd can only use HALs in passthrough mode
|
|
passthrough_hal_client_domain(fastbootd, hal_bootctl)
|
|
|
|
# Access /dev/usb-ffs/fastbootd/ep0
|
|
allow fastbootd functionfs:dir search;
|
|
allow fastbootd functionfs:file rw_file_perms;
|
|
|
|
allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
|
|
# Log to serial
|
|
allow fastbootd kmsg_device:chr_file { open getattr write };
|
|
|
|
# battery info
|
|
allow fastbootd sysfs_batteryinfo:file r_file_perms;
|
|
|
|
allow fastbootd device:dir r_dir_perms;
|
|
|
|
# Reboot the device
|
|
set_prop(fastbootd, powerctl_prop)
|
|
|
|
# Read serial number of the device from system properties
|
|
get_prop(fastbootd, serialno_prop)
|
|
|
|
# For dev/block/by-name dir
|
|
allow fastbootd block_device:dir r_dir_perms;
|
|
|
|
# Needed for DM_DEV_CREATE ioctl call
|
|
allow fastbootd self:capability sys_admin;
|
|
|
|
# Set sys.usb.ffs.ready.
|
|
set_prop(fastbootd, ffs_prop)
|
|
set_prop(fastbootd, exported_ffs_prop)
|
|
|
|
unix_socket_connect(fastbootd, recovery, recovery)
|
|
|
|
# Required for flashing
|
|
allow fastbootd dm_device:chr_file rw_file_perms;
|
|
allow fastbootd dm_device:blk_file rw_file_perms;
|
|
|
|
allow fastbootd super_block_device_type:blk_file rw_file_perms;
|
|
allow fastbootd {
|
|
boot_block_device
|
|
metadata_block_device
|
|
system_block_device
|
|
userdata_block_device
|
|
}:blk_file { w_file_perms getattr ioctl };
|
|
|
|
# For disabling/wiping GSI.
|
|
allow fastbootd metadata_block_device:blk_file r_file_perms;
|
|
allow fastbootd {rootfs tmpfs}:dir mounton;
|
|
allow fastbootd metadata_file:dir search;
|
|
allow fastbootd gsi_metadata_file:dir r_dir_perms;
|
|
allow fastbootd gsi_metadata_file:file rw_file_perms;
|
|
|
|
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
|
|
|
allowxperm fastbootd {
|
|
metadata_block_device
|
|
userdata_block_device
|
|
dm_device
|
|
}:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
|
|
|
|
allow fastbootd misc_block_device:blk_file rw_file_perms;
|
|
|
|
allow fastbootd proc_cmdline:file r_file_perms;
|
|
allow fastbootd rootfs:dir r_dir_perms;
|
|
|
|
# Needed to read fstab node from device tree.
|
|
allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
|
|
allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
|
|
|
|
# Needed because libdm reads sysfs to validate when a dm path is ready.
|
|
r_dir_file(fastbootd, sysfs_dm)
|
|
|
|
# Needed for realpath() call to resolve symlinks.
|
|
allow fastbootd block_device:dir getattr;
|
|
userdebug_or_eng(`
|
|
# Refined manipulation of /mnt/scratch, without these perms resorts
|
|
# to deleting scratch partition when partition(s) are flashed.
|
|
allow fastbootd self:process setfscreate;
|
|
allow fastbootd cache_file:dir search;
|
|
allow fastbootd proc_filesystems:file { getattr open read };
|
|
allow fastbootd self:capability sys_rawio;
|
|
dontaudit fastbootd kernel:system module_request;
|
|
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
|
|
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
|
|
allow fastbootd {
|
|
system_file_type
|
|
unlabeled
|
|
vendor_file_type
|
|
}:dir { remove_name rmdir search write };
|
|
allow fastbootd {
|
|
overlayfs_file
|
|
system_file_type
|
|
unlabeled
|
|
vendor_file_type
|
|
}:{ file lnk_file } unlink;
|
|
allow fastbootd tmpfs:dir rw_dir_perms;
|
|
allow fastbootd labeledfs:filesystem { mount unmount };
|
|
get_prop(fastbootd, persistent_properties_ready_prop)
|
|
')
|
|
|
|
# Allow using libfiemap/gsid directly (no binder in recovery).
|
|
set_prop(fastbootd, gsid_prop)
|
|
allow fastbootd gsi_metadata_file:dir search;
|
|
allow fastbootd ota_metadata_file:dir rw_dir_perms;
|
|
allow fastbootd ota_metadata_file:file create_file_perms;
|
|
')
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Write permission is required to wipe userdata
|
|
# until recovery supports vold.
|
|
neverallow fastbootd {
|
|
data_file_type
|
|
}:file { no_x_file_perms };
|