• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# gsid - Manager for GSI Installation
2
3type gsid, domain;
4type gsid_exec, exec_type, file_type, system_file_type;
5typeattribute gsid coredomain;
6
7init_daemon_domain(gsid)
8
9binder_use(gsid)
10binder_service(gsid)
11add_service(gsid, gsi_service)
12
13# Manage DSU metadata encryption key through vold.
14allow gsid vold_service:service_manager find;
15binder_call(gsid, vold)
16
17set_prop(gsid, gsid_prop)
18
19# Needed to create/delete device-mapper nodes, and read/write to them.
20allow gsid dm_device:chr_file rw_file_perms;
21allow gsid dm_device:blk_file rw_file_perms;
22allow gsid self:global_capability_class_set sys_admin;
23dontaudit gsid self:global_capability_class_set dac_override;
24
25# On FBE devices (not using dm-default-key), gsid will use loop devices to map
26# images rather than device-mapper.
27allow gsid loop_control_device:chr_file rw_file_perms;
28allow gsid loop_device:blk_file rw_file_perms;
29allowxperm gsid loop_device:blk_file ioctl {
30  LOOP_GET_STATUS64
31  LOOP_SET_STATUS64
32  LOOP_SET_FD
33  LOOP_SET_BLOCK_SIZE
34  LOOP_SET_DIRECT_IO
35  LOOP_CLR_FD
36  BLKFLSBUF
37};
38
39# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
40# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
41# file names.
42r_dir_file(gsid, sysfs_dm)
43
44# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
45# whether pin_file support is enabled.
46r_dir_file(gsid, sysfs_fs_f2fs)
47
48# Needed to read fstab, which is used to validate that system verity does not
49# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
50# to get the A/B slot suffix).
51read_fstab(gsid)
52allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
53allow gsid sysfs_dt_firmware_android:file r_file_perms;
54
55# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
56allow gsid block_device:dir r_dir_perms;
57
58# Allow querying the size of super_block_device_type.
59allow gsid super_block_device_type:blk_file r_file_perms;
60
61# liblp queries these block alignment properties.
62allowxperm gsid {
63  userdata_block_device
64  sdcard_block_device
65  super_block_device_type
66}:blk_file ioctl {
67  BLKIOMIN
68  BLKALIGNOFF
69};
70
71# When installing images to an sdcard, gsid needs to be able to stat() the
72# block device. gsid also calls realpath() to remove symlinks.
73allow gsid mnt_media_rw_file:dir r_dir_perms;
74allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
75
76# When installing images to an sdcard, gsid must bypass sdcardfs and install
77# directly to vfat, which supports the FIBMAP ioctl.
78allow gsid vfat:dir create_dir_perms;
79allow gsid vfat:file create_file_perms;
80allow gsid sdcard_block_device:blk_file r_file_perms;
81# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
82# requirement, but the kernel does not implement FIEMAP support for VFAT.
83allow gsid self:global_capability_class_set sys_rawio;
84
85# Allow rules for gsi_tool.
86userdebug_or_eng(`
87  # gsi_tool passes the system image over the adb connection, via stdin.
88  allow gsid adbd:fd use;
89  # Needed when running gsi_tool through "su root" rather than adb root.
90  allow gsid adbd:unix_stream_socket rw_socket_perms;
91  # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
92  allow gsid { shell su }:fifo_file r_file_perms;
93  # Allow installing images from /storage/emulated/...
94  allow gsid { sdcard_type fuse }:file r_file_perms;
95')
96
97neverallow {
98  domain
99  -gsid
100  -init
101  -update_engine_common
102  -recovery
103  -fastbootd
104} gsid_prop:property_service set;
105
106# gsid needs to store images on /data, but cannot use file I/O. If it did, the
107# underlying blocks would be encrypted, and we couldn't mount the GSI image in
108# first-stage init. So instead of directly writing to /data, we:
109#
110#   1. fallocate a file large enough to hold the signed GSI
111#   2. extract its block layout with FIEMAP
112#   3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
113#   4. write system_gsi into that dm device
114#
115# To make this process work, we need to unwrap the device-mapper stacking for
116# userdata to reach the underlying block device. To verify the result we use
117# stat(), which requires read access.
118allow gsid userdata_block_device:blk_file r_file_perms;
119
120# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
121# init. It cannot use userdata since data cannot be decrypted during this
122# stage.
123#
124# gsid uses /metadata/gsi to store three files:
125#   install_status - A short string indicating whether a GSI image is bootable.
126#   lp_metadata    - LpMetadata blob describing the block ranges on userdata
127#                    where system_gsi resides.
128#   booted         - An empty file that, if exists, indicates that a GSI is
129#                    currently running.
130#
131allow gsid metadata_file:dir { search getattr };
132allow gsid {
133    gsi_metadata_file_type
134}:dir create_dir_perms;
135
136allow gsid {
137    ota_metadata_file
138}:dir rw_dir_perms;
139
140allow gsid {
141    gsi_metadata_file_type
142    ota_metadata_file
143}:file create_file_perms;
144
145# Allow restorecon to fix context of gsi_public_metadata_file.
146allow gsid file_contexts_file:file r_file_perms;
147allow gsid gsi_metadata_file:file relabelfrom;
148allow gsid gsi_public_metadata_file:file relabelto;
149
150allow gsid {
151      gsi_data_file
152      ota_image_data_file
153}:dir create_dir_perms;
154allow gsid {
155      gsi_data_file
156      ota_image_data_file
157}:file create_file_perms;
158allowxperm gsid {
159      gsi_data_file
160      ota_image_data_file
161}:file ioctl {
162      FS_IOC_FIEMAP
163      FS_IOC_GETFLAGS
164};
165
166allow gsid system_server:binder call;
167
168# Prevent most processes from writing to gsi_metadata_file_type, but allow
169# adding rules for path resolution of gsi_public_metadata_file and reading
170# gsi_public_metadata_file.
171neverallow {
172    domain
173    -init
174    -gsid
175    -fastbootd
176} gsi_metadata_file_type:dir no_w_dir_perms;
177
178neverallow {
179    domain
180    -init
181    -gsid
182    -fastbootd
183} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
184
185neverallow {
186    domain
187    -init
188    -gsid
189    -fastbootd
190} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
191
192# Prevent apps from accessing gsi_metadata_file_type.
193neverallow {
194    appdomain
195    -shell
196} gsi_metadata_file_type:dir_file_class_set *;
197
198neverallow {
199    domain
200    -init
201    -gsid
202} gsi_data_file:dir_file_class_set *;
203
204neverallow {
205    domain
206    -gsid
207} gsi_data_file:file_class_set ~{ relabelto getattr };
208