Allow gsid to create and access loop devices.
gsid creates loop devices when it cannot use device-mapper. This can
occur when images are split into multiple files (for example, FAT32) or
when a device is unencrypted, or FBE without metadata encryption. In
addition to accessing /dev/loop-control and loop devices, it also needs
LOOP_SET_DIRECT_IO and LOOP_SET_BLOCK_SIZE to optimize writes.
Bug: 134536978
Test: gsi_tool install works on crosshatch with metadata encryption
disabled
Change-Id: I3f0aee1d0757e4b299deee74a8c1077846d56292
diff --git a/private/gsid.te b/private/gsid.te
index 73b93fc..305b1c2 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -17,6 +17,20 @@
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
@@ -83,7 +97,7 @@
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
-allow gsid metadata_file:dir search;
+allow gsid metadata_file:dir { search getattr };
allow gsid gsi_metadata_file:dir rw_dir_perms;
allow gsid gsi_metadata_file:file create_file_perms;