PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
825936c473
android_system_sepolicy/private/fsverity_init.te
Victor Hsieh 12121797f4 Don't audit fsverity_init's view to domain:key 
Like the existing dontaudit, fsverity_init shouldn't need to view
unrelevant keys.

Bug: 193474772
Test: m
Change-Id: I177bacdb89d0ed967cae84f109a5e841f2e7349f
2021-07-21 14:51:00 +00:00

25 lines
1.0 KiB
Plaintext
Raw Blame History

type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;
init_daemon_domain(fsverity_init)
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;
Reference in New Issue View Git Blame Copy Permalink