commit b9cf68a2f5bd50fd0f6e50552cf4d0b56d8a1255
author Jiakai Zhang <jiakaiz@google.com> Fri Mar 08 18:36:03 2024 +0000
committer Jiakai Zhang <jiakaiz@google.com> Mon Mar 11 11:18:50 2024 +0000
tree ac408729b6179781e73b60237d9c6ff514a36074
parent 489766292a74127e8541fa1ad21ff41188d6834a

Add rules for snapshotctl map/unmap.

This change adds rules for system properties "sys.snapshotctl.map" and
"sys.snapshotctl.unmap", for controlling snapshotctl.

This change also adds the missing rules for snapshotctl to perform its
job. Initially, the rules for snapshotctl were added by
http://r.android.com/1126904, for running snapshotctl through init
(http://r.android.com/1123645). However, the trigger was then removed by
http://r.android.com/1239286. Since then, snapshotctl can be only run by
the root shell, in which case it is run in the "su" domain, so the rules
are not tested and therefore get stale over time. To make snapshotctl
function properly when run by init, we need to add the missing rules.

Bug: 311377497
Test: adb shell setprop sys.snapshotctl.map requested
Test: adb shell setprop sys.snapshotctl.unmap requested
Change-Id: I304be6e1825a6768f757d74b3365c4d759b9d07e

private/snapuserd.te

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 3752e01..fda3fd1 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -71,3 +71,14 @@
 # io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
 allow snapuserd self:capability ipc_lock;
 io_uring_use(snapuserd)
+
+# Disallow other domains controlling snapuserd.
+neverallow {
+  domain
+  -fastbootd
+  -init
+  -recovery
+  -shell
+  -snapshotctl
+  -update_engine
+} ctl_snapuserd_prop:property_service set;