Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / efcc8dbdd7cd3935152f30d0c9e9b6890fe38f58^1..efcc8dbdd7cd3935152f30d0c9e9b6890fe38f58 / .
commitefcc8dbdd7cd3935152f30d0c9e9b6890fe38f58[log] [tgz]
authorJiakai Zhang <jiakaiz@google.com>Mon Mar 11 16:55:25 2024 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Mar 11 16:55:25 2024 +0000
tree8f671656168d2d1d1cf45a40c4d2103270303847
parent210e8b5651236416e6eb16f37d9369e3f014ae75 [diff]
parentb9cf68a2f5bd50fd0f6e50552cf4d0b56d8a1255 [diff]
Merge "Add rules for snapshotctl map/unmap." into main
diff --git a/private/property.te b/private/property.te
index e06c7e7..ae471d0 100644
--- a/private/property.te
+++ b/private/property.te

@@ -44,6 +44,7 @@
 system_internal_prop(remote_prov_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
+system_internal_prop(snapshotctl_prop)
 system_internal_prop(snapuserd_prop)
 system_internal_prop(system_adbd_prop)
 system_internal_prop(system_audio_config_prop)

diff --git a/private/property_contexts b/private/property_contexts
index cb22d64..024d185 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1659,3 +1659,7 @@
 crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
 persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
 persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
+
+# Properties for controlling snapshotctl.
+sys.snapshotctl.map u:object_r:snapshotctl_prop:s0 exact string
+sys.snapshotctl.unmap u:object_r:snapshotctl_prop:s0 exact string

diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index fb2bbca..c92217d 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te

@@ -43,3 +43,22 @@
   allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
   allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
 ')
+
+# Allow to read /proc/bootconfig.
+allow snapshotctl proc_bootconfig:file r_file_perms;
+
+# Allow to control snapuserd.
+set_prop(snapshotctl, ctl_snapuserd_prop)
+
+# Allow to read snapuserd.* properties.
+get_prop(snapshotctl, snapuserd_prop)
+
+# Allow to talk to snapuserd.
+allow snapshotctl snapuserd_socket:sock_file write;
+allow snapshotctl snapuserd:unix_stream_socket { connectto };
+
+# Allow to read /dev/block/dm-* (device-mapper) nodes.
+allow snapshotctl dm_device:blk_file r_file_perms;
+
+# Allow to read dm-user control nodes.
+allow snapshotctl dm_user_device:dir search;

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 3752e01..fda3fd1 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -71,3 +71,14 @@
 # io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
 allow snapuserd self:capability ipc_lock;
 io_uring_use(snapuserd)
+
+# Disallow other domains controlling snapuserd.
+neverallow {
+  domain
+  -fastbootd
+  -init
+  -recovery
+  -shell
+  -snapshotctl
+  -update_engine
+} ctl_snapuserd_prop:property_service set;