1# gsid - Manager for GSI Installation 2 3type gsid, domain; 4type gsid_exec, exec_type, file_type, system_file_type; 5typeattribute gsid coredomain; 6 7init_daemon_domain(gsid) 8 9binder_use(gsid) 10binder_service(gsid) 11add_service(gsid, gsi_service) 12set_prop(gsid, gsid_prop) 13 14# Needed to create/delete device-mapper nodes, and read/write to them. 15allow gsid dm_device:chr_file rw_file_perms; 16allow gsid dm_device:blk_file rw_file_perms; 17allow gsid self:global_capability_class_set sys_admin; 18dontaudit gsid self:global_capability_class_set dac_override; 19 20# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking. 21# This requires traversing /sys/block/dm-N/slaves/* and reading the list of 22# file names. 23allow gsid sysfs_dm:dir r_dir_perms; 24 25# Needed to read fstab, which is used to validate that system verity does not 26# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed 27# to get the A/B slot suffix). 28allow gsid proc_cmdline:file r_file_perms; 29allow gsid sysfs_dt_firmware_android:dir r_dir_perms; 30allow gsid sysfs_dt_firmware_android:file r_file_perms; 31 32# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/* 33allow gsid block_device:dir r_dir_perms; 34 35# liblp queries these block alignment properties. 36allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl { 37 BLKIOMIN 38 BLKALIGNOFF 39}; 40 41# When installing images to an sdcard, gsid needs to be able to stat() the 42# block device. gsid also calls realpath() to remove symlinks. 43allow gsid mnt_media_rw_file:dir r_dir_perms; 44 45# When installing images to an sdcard, gsid must bypass sdcardfs and install 46# directly to vfat, which supports the FIBMAP ioctl. 47allow gsid vfat:dir rw_dir_perms; 48allow gsid vfat:file create_file_perms; 49allow gsid sdcard_block_device:blk_file r_file_perms; 50# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this 51# requirement, but the kernel does not implement FIEMAP support for VFAT. 52allow gsid self:global_capability_class_set sys_rawio; 53 54# gsi_tool passes the system image over the adb connection, via stdin. 55allow gsid adbd:fd use; 56# Needed when running gsi_tool through "su root" rather than adb root. 57allow gsid adbd:unix_stream_socket rw_socket_perms; 58 59neverallow { domain -gsid -init } gsid_prop:property_service set; 60 61# gsid needs to store images on /data, but cannot use file I/O. If it did, the 62# underlying blocks would be encrypted, and we couldn't mount the GSI image in 63# first-stage init. So instead of directly writing to /data, we: 64# 65# 1. fallocate a file large enough to hold the signed GSI 66# 2. extract its block layout with FIEMAP 67# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata 68# 4. write system_gsi into that dm device 69# 70# To make this process work, we need to unwrap the device-mapper stacking for 71# userdata to reach the underlying block device. To verify the result we use 72# stat(), which requires read access. 73allow gsid userdata_block_device:blk_file r_file_perms; 74 75# gsid uses /metadata/gsi to communicate GSI boot information to first-stage 76# init. It cannot use userdata since data cannot be decrypted during this 77# stage. 78# 79# gsid uses /metadata/gsi to store three files: 80# install_status - A short string indicating whether a GSI image is bootable. 81# lp_metadata - LpMetadata blob describing the block ranges on userdata 82# where system_gsi resides. 83# booted - An empty file that, if exists, indicates that a GSI is 84# currently running. 85# 86allow gsid metadata_file:dir search; 87allow gsid gsi_metadata_file:dir rw_dir_perms; 88allow gsid gsi_metadata_file:file create_file_perms; 89 90allow gsid gsi_data_file:dir rw_dir_perms; 91allow gsid gsi_data_file:file create_file_perms; 92allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP; 93 94neverallow { 95 domain 96 -init 97 -gsid 98 -fastbootd 99 -vold 100} gsi_metadata_file:dir *; 101 102neverallow { 103 domain 104 -init 105 -gsid 106 -fastbootd 107 -vold 108} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 109 110neverallow { 111 domain 112 -init 113 -gsid 114 -fastbootd 115 -vold 116} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *; 117 118neverallow { 119 domain 120 -gsid 121} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 122 123neverallow { 124 domain 125 -init 126 -gsid 127} gsi_data_file:dir *; 128 129neverallow { 130 domain 131 -gsid 132} gsi_data_file:notdevfile_class_set ~{ relabelto getattr }; 133