f375337cc8
snapshotctl is a shell interface for libsnapshot. After rebooting
into an updated build, on sys.boot_completed, init calls
snapshotctl to merge snapshots. In order to do that, it needs to:
- Talk to gsid to mount and unmount COW images
- read the current slot suffix to do checks (and avoid merging
snapshots when it shouldn't).
- read / write OTA metadata files to understand states of
the snapshot
- delete OTA metadata files once a snapshot is merged
- collapse the snapshot device-mapper targets into a plain
dm-linear target by re-mapping devices on device-mapper
Test: reboot after OTA, see merge completed without denials
Bug: 135752105
Change-Id: Idfe99d4004e24805d56cd0ab2479557f237c2448
32 lines
1.2 KiB
Text
32 lines
1.2 KiB
Text
type snapshotctl, domain, coredomain;
|
|
type snapshotctl_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Allow init to run snapshotctl and do auto domain transfer.
|
|
init_daemon_domain(snapshotctl);
|
|
|
|
# Allow to start gsid service.
|
|
set_prop(snapshotctl, ctl_gsid_prop)
|
|
|
|
# Allow to talk to gsid.
|
|
binder_use(snapshotctl)
|
|
allow snapshotctl gsi_service:service_manager find;
|
|
binder_call(snapshotctl, gsid)
|
|
|
|
# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
|
|
allow snapshotctl metadata_file:dir search;
|
|
allow snapshotctl ota_metadata_file:dir rw_dir_perms;
|
|
allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
|
|
|
|
# Allow to get A/B slot suffix from device tree or kernel cmdline.
|
|
r_dir_file(snapshotctl, sysfs_dt_firmware_android);
|
|
allow snapshotctl proc_cmdline:file r_file_perms;
|
|
|
|
# Needed to (re-)map logical partitions.
|
|
allow snapshotctl block_device:dir r_dir_perms;
|
|
allow snapshotctl super_block_device:blk_file r_file_perms;
|
|
|
|
# Interact with device-mapper to collapse snapshots.
|
|
allow snapshotctl dm_device:chr_file rw_file_perms;
|
|
|
|
# Needed to mutate device-mapper nodes.
|
|
allow snapshotctl self:global_capability_class_set sys_admin;
|