Add rules for snapshotctl map/unmap.
This change adds rules for system properties "sys.snapshotctl.map" and
"sys.snapshotctl.unmap", for controlling snapshotctl.
This change also adds the missing rules for snapshotctl to perform its
job. Initially, the rules for snapshotctl were added by
http://r.android.com/1126904, for running snapshotctl through init
(http://r.android.com/1123645). However, the trigger was then removed by
http://r.android.com/1239286. Since then, snapshotctl can be only run by
the root shell, in which case it is run in the "su" domain, so the rules
are not tested and therefore get stale over time. To make snapshotctl
function properly when run by init, we need to add the missing rules.
Bug: 311377497
Test: adb shell setprop sys.snapshotctl.map requested
Test: adb shell setprop sys.snapshotctl.unmap requested
Change-Id: I304be6e1825a6768f757d74b3365c4d759b9d07e
diff --git a/private/property.te b/private/property.te
index e06c7e7..ae471d0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -44,6 +44,7 @@
system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapshotctl_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(system_audio_config_prop)
diff --git a/private/property_contexts b/private/property_contexts
index cb22d64..024d185 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1659,3 +1659,7 @@
crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
+
+# Properties for controlling snapshotctl.
+sys.snapshotctl.map u:object_r:snapshotctl_prop:s0 exact string
+sys.snapshotctl.unmap u:object_r:snapshotctl_prop:s0 exact string
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index fb2bbca..c92217d 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -43,3 +43,22 @@
allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow to read /proc/bootconfig.
+allow snapshotctl proc_bootconfig:file r_file_perms;
+
+# Allow to control snapuserd.
+set_prop(snapshotctl, ctl_snapuserd_prop)
+
+# Allow to read snapuserd.* properties.
+get_prop(snapshotctl, snapuserd_prop)
+
+# Allow to talk to snapuserd.
+allow snapshotctl snapuserd_socket:sock_file write;
+allow snapshotctl snapuserd:unix_stream_socket { connectto };
+
+# Allow to read /dev/block/dm-* (device-mapper) nodes.
+allow snapshotctl dm_device:blk_file r_file_perms;
+
+# Allow to read dm-user control nodes.
+allow snapshotctl dm_user_device:dir search;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 3752e01..fda3fd1 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -71,3 +71,14 @@
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
io_uring_use(snapuserd)
+
+# Disallow other domains controlling snapuserd.
+neverallow {
+ domain
+ -fastbootd
+ -init
+ -recovery
+ -shell
+ -snapshotctl
+ -update_engine
+} ctl_snapuserd_prop:property_service set;