Sepolicy: Allow everyone to search keyrings

Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-13 15:21:41 -07:00 · 2019-03-13 15:21:41 -07:00 · 59d5d90da8
commit 59d5d90da8
parent a907d15ba1
5 changed files with 9 additions and 23 deletions
--- a/private/art_apex_boot_integrity.te
+++ b/private/art_apex_boot_integrity.te
@ -26,9 +26,3 @@ allow art_apex_boot_integrity system_file:file execute_no_trans;
 allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };
-
-allow art_apex_boot_integrity kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
-  allow art_apex_boot_integrity su:key search;
-')
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@ -29,9 +29,3 @@ allow art_apex_postinstall system_file:file execute_no_trans;
 allowxperm art_apex_postinstall ota_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };
-
-allow art_apex_postinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
-  allow art_apex_postinstall su:key search;
-')
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te
@ -31,9 +31,3 @@ allow art_apex_preinstall system_file:file execute_no_trans;
 allowxperm art_apex_preinstall ota_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };
-
-allow art_apex_preinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
-  allow art_apex_preinstall su:key search;
-')
--- a/private/domain.te
+++ b/private/domain.te
@ -73,6 +73,15 @@ compatible_property_only(`
    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')

+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain mini-keyctl:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+  allow domain su:key search;
+')
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
--- a/private/system_server.te
+++ b/private/system_server.te
@ -809,11 +809,6 @@ allow system_server toolbox_exec:file rx_file_perms;
 allowxperm system_server apk_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };
-# Allow system process to access the keyring.
-allow system_server kernel:key search;
-userdebug_or_eng(`
-  allow system_server su:key search;
-')

 # Postinstall
 #