Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 4e7d20d..f89f2e2 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
adbd_config_prop
apex_info_file
cgroup_v2
+ ctl_snapuserd_prop
debugfs_kprobes
device_config_profcollect_native_boot_prop
device_state_service
diff --git a/private/file_contexts b/private/file_contexts
index abd9ad0..7f8aef3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,7 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dm-user/.+ u:object_r:dm_user_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/property.te b/private/property.te
index ffd3c51..575785d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
diff --git a/private/property_contexts b/private/property_contexts
index e136dc9..5750acc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,6 +172,11 @@
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 452ee16..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -127,6 +127,7 @@
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 4632240..99ee90f 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -1,4 +1,6 @@
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
@@ -12,4 +14,5 @@
allow snapuserd dm_device:blk_file rw_file_perms;
# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/private/update_engine.te b/private/update_engine.te
index a33e675..8e09154 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -9,6 +9,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
@@ -17,3 +20,7 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
diff --git a/public/init.te b/public/init.te
index 805d9c2..d966e68 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,7 +27,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device }:dir relabelto;
+allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
diff --git a/public/snapuserd.te b/public/snapuserd.te
deleted file mode 100644
index 2dd2db2..0000000
--- a/public/snapuserd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d110238..dd90fbc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -65,6 +65,10 @@
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;