1# gsid - Manager for GSI Installation
2
3type gsid, domain;
4type gsid_exec, exec_type, file_type, system_file_type;
5typeattribute gsid coredomain;
6
7init_daemon_domain(gsid)
8
9binder_use(gsid)
10binder_service(gsid)
11add_service(gsid, gsi_service)
12set_prop(gsid, gsid_prop)
13
14# Needed to create/delete device-mapper nodes, and read/write to them.
15allow gsid dm_device:chr_file rw_file_perms;
16allow gsid dm_device:blk_file rw_file_perms;
17allow gsid self:global_capability_class_set sys_admin;
18dontaudit gsid self:global_capability_class_set dac_override;
19
20# On FBE devices (not using dm-default-key), gsid will use loop devices to map
21# images rather than device-mapper.
22allow gsid loop_control_device:chr_file rw_file_perms;
23allow gsid loop_device:blk_file rw_file_perms;
24allowxperm gsid loop_device:blk_file ioctl {
25  LOOP_GET_STATUS64
26  LOOP_SET_STATUS64
27  LOOP_SET_FD
28  LOOP_SET_BLOCK_SIZE
29  LOOP_SET_DIRECT_IO
30  LOOP_CLR_FD
31  BLKFLSBUF
32};
33
34# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
35# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
36# file names.
37r_dir_file(gsid, sysfs_dm)
38
39# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
40# whether pin_file support is enabled.
41r_dir_file(gsid, sysfs_fs_f2fs)
42
43# Needed to read fstab, which is used to validate that system verity does not
44# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
45# to get the A/B slot suffix).
46allow gsid proc_cmdline:file r_file_perms;
47allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
48allow gsid sysfs_dt_firmware_android:file r_file_perms;
49
50# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
51allow gsid block_device:dir r_dir_perms;
52
53# liblp queries these block alignment properties.
54allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
55  BLKIOMIN
56  BLKALIGNOFF
57};
58
59# When installing images to an sdcard, gsid needs to be able to stat() the
60# block device. gsid also calls realpath() to remove symlinks.
61allow gsid mnt_media_rw_file:dir r_dir_perms;
62
63# When installing images to an sdcard, gsid must bypass sdcardfs and install
64# directly to vfat, which supports the FIBMAP ioctl.
65allow gsid vfat:dir rw_dir_perms;
66allow gsid vfat:file create_file_perms;
67allow gsid sdcard_block_device:blk_file r_file_perms;
68# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
69# requirement, but the kernel does not implement FIEMAP support for VFAT.
70allow gsid self:global_capability_class_set sys_rawio;
71
72# gsi_tool passes the system image over the adb connection, via stdin.
73allow gsid adbd:fd use;
74# Needed when running gsi_tool through "su root" rather than adb root.
75allow gsid adbd:unix_stream_socket rw_socket_perms;
76
77neverallow {
78  domain
79  -gsid
80  -init
81  -update_engine_common
82  -recovery
83  -fastbootd
84} gsid_prop:property_service set;
85
86# gsid needs to store images on /data, but cannot use file I/O. If it did, the
87# underlying blocks would be encrypted, and we couldn't mount the GSI image in
88# first-stage init. So instead of directly writing to /data, we:
89#
90#   1. fallocate a file large enough to hold the signed GSI
91#   2. extract its block layout with FIEMAP
92#   3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
93#   4. write system_gsi into that dm device
94#
95# To make this process work, we need to unwrap the device-mapper stacking for
96# userdata to reach the underlying block device. To verify the result we use
97# stat(), which requires read access.
98allow gsid userdata_block_device:blk_file r_file_perms;
99
100# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
101# init. It cannot use userdata since data cannot be decrypted during this
102# stage.
103#
104# gsid uses /metadata/gsi to store three files:
105#   install_status - A short string indicating whether a GSI image is bootable.
106#   lp_metadata    - LpMetadata blob describing the block ranges on userdata
107#                    where system_gsi resides.
108#   booted         - An empty file that, if exists, indicates that a GSI is
109#                    currently running.
110#
111allow gsid metadata_file:dir { search getattr };
112allow gsid {
113    gsi_metadata_file
114}:dir create_dir_perms;
115
116allow gsid {
117    ota_metadata_file
118}:dir rw_dir_perms;
119
120allow gsid {
121    gsi_metadata_file
122    ota_metadata_file
123}:file create_file_perms;
124
125allow gsid {
126      gsi_data_file
127      ota_image_data_file
128}:dir rw_dir_perms;
129allow gsid {
130      gsi_data_file
131      ota_image_data_file
132}:file create_file_perms;
133allowxperm gsid {
134      gsi_data_file
135      ota_image_data_file
136}:file ioctl FS_IOC_FIEMAP;
137
138allow gsid system_server:binder call;
139
140neverallow {
141    domain
142    -init
143    -gsid
144    -fastbootd
145    -recovery
146    -vold
147} gsi_metadata_file:dir *;
148
149neverallow {
150    domain
151    -init
152    -gsid
153    -fastbootd
154    -vold
155} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
156
157neverallow {
158    domain
159    -init
160    -gsid
161    -fastbootd
162    -vold
163} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
164
165neverallow {
166    domain
167    -gsid
168    -init
169} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
170
171neverallow {
172    domain
173    -init
174    -gsid
175} gsi_data_file:dir *;
176
177neverallow {
178    domain
179    -gsid
180} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
181