Full sepolicy for gsid.
Bug: 122556707
Test: manual test
Change-Id: I2536deefb3aa75deee4aeae7df074349b705b0f0
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index abb796f..6c97fe2 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,8 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gsi_data_file
+ gsi_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/file_contexts b/private/file_contexts
index d616285..233d5f4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -438,6 +438,7 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -612,6 +613,7 @@
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
#############################
# asec containers
diff --git a/private/gsid.te b/private/gsid.te
index 5ac1c25..0c2e50c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -7,4 +7,101 @@
init_daemon_domain(gsid)
binder_use(gsid)
+binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+allow gsid sysfs_dm:dir r_dir_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid userdata_block_device:blk_file ioctl {
+ BLKIOMIN
+ BLKALIGNOFF
+};
+
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+# 1. fallocate a file large enough to hold the signed GSI
+# 2. extract its block layout with FIEMAP
+# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+# 4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+# install_status - A short string indicating whether a GSI image is bootable.
+# lp_metadata - LpMetadata blob describing the block ranges on userdata
+# where system_gsi resides.
+# booted - An empty file that, if exists, indicates that a GSI is
+# currently running.
+#
+allow gsid metadata_file:dir search;
+allow gsid gsi_metadata_file:dir rw_dir_perms;
+allow gsid gsi_metadata_file:file create_file_perms;
+
+allow gsid gsi_data_file:dir rw_dir_perms;
+allow gsid gsi_data_file:file create_file_perms;
+allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -gsid
+} gsi_data_file:dir *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };