2020-03-21 02:38:28 +00:00
|
|
|
// Copyright (C) 2020 The Android Open Source Project
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 08:21:20 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
2020-03-21 02:38:28 +00:00
|
|
|
#include <memory>
|
|
|
|
|
#include <set>
|
|
|
|
|
#include <string>
|
|
|
|
|
|
|
|
|
|
#include "devices.h"
|
|
|
|
|
#include "uevent_listener.h"
|
|
|
|
|
|
|
|
|
|
namespace android {
|
|
|
|
|
namespace init {
|
|
|
|
|
|
|
|
|
|
class BlockDevInitializer final {
|
|
|
|
|
public:
|
|
|
|
|
BlockDevInitializer();
|
|
|
|
|
|
|
|
|
|
bool InitDeviceMapper();
|
2020-11-21 21:43:47 +00:00
|
|
|
bool InitDmUser(const std::string& name);
|
2020-03-21 02:38:28 +00:00
|
|
|
bool InitDevices(std::set<std::string> devices);
|
|
|
|
|
bool InitDmDevice(const std::string& device);
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
ListenerAction HandleUevent(const Uevent& uevent, std::set<std::string>* devices);
|
|
|
|
|
|
2020-07-08 20:46:50 +00:00
|
|
|
bool InitMiscDevice(const std::string& name);
|
|
|
|
|
|
2020-03-21 02:38:28 +00:00
|
|
|
std::unique_ptr<DeviceHandler> device_handler_;
|
|
|
|
|
UeventListener uevent_listener_;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
} // namespace init
|
|
|
|
|
} // namespace android
|