369d35d531
Also, since fsverity_init has been rewriten in C++, shell execution is no longer needed. Test: no denial is generated Bug: 112038744 Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
32 lines
1.2 KiB
Plaintext
32 lines
1.2 KiB
Plaintext
type fsverity_init, domain, coredomain;
|
|
type fsverity_init_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(fsverity_init)
|
|
|
|
# Allow to retrieve keys from keystore.
|
|
binder_use(fsverity_init)
|
|
use_keystore(fsverity_init)
|
|
allow fsverity_init keystore:keystore_key { list get };
|
|
|
|
# Allow to read /proc/keys for searching key id.
|
|
allow fsverity_init proc_keys:file r_file_perms;
|
|
|
|
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
|
|
dontaudit fsverity_init init:key view;
|
|
dontaudit fsverity_init vold:key view;
|
|
allow fsverity_init kernel:key { view search write setattr };
|
|
allow fsverity_init fsverity_init:key { view search write };
|
|
|
|
# Allow init to write to /proc/sys/fs/verity/require_signatures
|
|
allow fsverity_init proc_fs_verity:file w_file_perms;
|
|
|
|
# When kernel requests an algorithm, the crypto API first looks for an
|
|
# already registered algorithm with that name. If it fails, the kernel creates
|
|
# an implementation of the algorithm from templates.
|
|
dontaudit fsverity_init kernel:system module_request;
|
|
|
|
# TODO(b/132323675): remove once kernel bug is fixed.
|
|
userdebug_or_eng(`
|
|
dontaudit fsverity_init self:capability sys_admin;
|
|
')
|