1# gsid - Manager for GSI Installation
2
3type gsid, domain;
4type gsid_exec, exec_type, file_type, system_file_type;
5typeattribute gsid coredomain;
6
7init_daemon_domain(gsid)
8
9binder_use(gsid)
10binder_service(gsid)
11add_service(gsid, gsi_service)
12set_prop(gsid, gsid_prop)
13
14# Needed to create/delete device-mapper nodes, and read/write to them.
15allow gsid dm_device:chr_file rw_file_perms;
16allow gsid dm_device:blk_file rw_file_perms;
17allow gsid self:global_capability_class_set sys_admin;
18dontaudit gsid self:global_capability_class_set dac_override;
19
20# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
21# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
22# file names.
23allow gsid sysfs_dm:dir r_dir_perms;
24
25# Needed to read fstab, which is used to validate that system verity does not
26# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
27# to get the A/B slot suffix).
28allow gsid proc_cmdline:file r_file_perms;
29allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
30allow gsid sysfs_dt_firmware_android:file r_file_perms;
31
32# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
33allow gsid block_device:dir r_dir_perms;
34
35# liblp queries these block alignment properties.
36allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
37  BLKIOMIN
38  BLKALIGNOFF
39};
40
41# When installing images to an sdcard, gsid needs to be able to stat() the
42# block device. gsid also calls realpath() to remove symlinks.
43allow gsid mnt_media_rw_file:dir r_dir_perms;
44
45# When installing images to an sdcard, gsid must bypass sdcardfs and install
46# directly to vfat, which supports the FIBMAP ioctl.
47allow gsid vfat:dir rw_dir_perms;
48allow gsid vfat:file create_file_perms;
49allow gsid sdcard_block_device:blk_file r_file_perms;
50# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
51# requirement, but the kernel does not implement FIEMAP support for VFAT.
52allow gsid self:global_capability_class_set sys_rawio;
53
54# gsi_tool passes the system image over the adb connection, via stdin.
55allow gsid adbd:fd use;
56# Needed when running gsi_tool through "su root" rather than adb root.
57allow gsid adbd:unix_stream_socket rw_socket_perms;
58
59neverallow { domain -gsid -init } gsid_prop:property_service set;
60
61# gsid needs to store images on /data, but cannot use file I/O. If it did, the
62# underlying blocks would be encrypted, and we couldn't mount the GSI image in
63# first-stage init. So instead of directly writing to /data, we:
64#
65#   1. fallocate a file large enough to hold the signed GSI
66#   2. extract its block layout with FIEMAP
67#   3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
68#   4. write system_gsi into that dm device
69#
70# To make this process work, we need to unwrap the device-mapper stacking for
71# userdata to reach the underlying block device. To verify the result we use
72# stat(), which requires read access.
73allow gsid userdata_block_device:blk_file r_file_perms;
74
75# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
76# init. It cannot use userdata since data cannot be decrypted during this
77# stage.
78#
79# gsid uses /metadata/gsi to store three files:
80#   install_status - A short string indicating whether a GSI image is bootable.
81#   lp_metadata    - LpMetadata blob describing the block ranges on userdata
82#                    where system_gsi resides.
83#   booted         - An empty file that, if exists, indicates that a GSI is
84#                    currently running.
85#
86allow gsid metadata_file:dir search;
87allow gsid gsi_metadata_file:dir rw_dir_perms;
88allow gsid gsi_metadata_file:file create_file_perms;
89
90allow gsid gsi_data_file:dir rw_dir_perms;
91allow gsid gsi_data_file:file create_file_perms;
92allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
93
94neverallow {
95    domain
96    -init
97    -gsid
98    -fastbootd
99    -vold
100} gsi_metadata_file:dir *;
101
102neverallow {
103    domain
104    -init
105    -gsid
106    -fastbootd
107    -vold
108} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
109
110neverallow {
111    domain
112    -init
113    -gsid
114    -fastbootd
115    -vold
116} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
117
118neverallow {
119    domain
120    -gsid
121} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
122
123neverallow {
124    domain
125    -init
126    -gsid
127} gsi_data_file:dir *;
128
129neverallow {
130    domain
131    -gsid
132} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
133