diff --git a/init/Android.bp b/init/Android.bp index 1af398a9a..4416b9dc2 100644 --- a/init/Android.bp +++ b/init/Android.bp @@ -166,11 +166,9 @@ libinit_cc_defaults { "libbootloader_message", "libc++fs", "libcgrouprc_format", - "libfsverity_init", "liblmkd_utils", "liblz4", "libzstd", - "libmini_keyctl_static", "libmodprobe", "libprocinfo", "libprotobuf-cpp-lite", diff --git a/init/selinux.cpp b/init/selinux.cpp index e0ef4913c..b6d483a47 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -74,10 +74,8 @@ #include #include #include -#include #include #include -#include #include #include @@ -510,7 +508,6 @@ bool OpenMonolithicPolicy(PolicyFile* policy_file) { constexpr const char* kSigningCertRelease = "/system/etc/selinux/com.android.sepolicy.cert-release.der"; -constexpr const char* kFsVerityProcPath = "/proc/sys/fs/verity"; const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/"; const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/"; const std::string kSepolicyZip = "SEPolicy.zip"; @@ -614,24 +611,6 @@ Result GetPolicyFromApex(const std::string& dir) { return {}; } -Result LoadSepolicyApexCerts() { - key_serial_t keyring_id = android::GetKeyringId(".fs-verity"); - if (keyring_id < 0) { - return Error() << "Failed to find .fs-verity keyring id"; - } - - // TODO(b/199914227) the release key should always exist. Once it's checked in, start - // throwing an error here if it doesn't exist. - if (access(kSigningCertRelease, F_OK) == 0) { - LoadKeyFromFile(keyring_id, "fsv_sepolicy_apex_release", kSigningCertRelease); - } - return {}; -} - -Result SepolicyFsVerityCheck() { - return Error() << "TODO implement support for fsverity SEPolicy."; -} - Result SepolicyCheckSignature(const std::string& dir) { std::string signature; if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) { @@ -654,18 +633,7 @@ Result SepolicyCheckSignature(const std::string& dir) { return verifySignature(sepolicyStr, signature, *releaseKey); } -Result SepolicyVerify(const std::string& dir, bool supportsFsVerity) { - if (supportsFsVerity) { - auto fsVerityCheck = SepolicyFsVerityCheck(); - if (fsVerityCheck.ok()) { - return fsVerityCheck; - } - // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail to - // boot and not carry on. For now, fallback to a signature checkuntil the fsverity - // logic is implemented. - LOG(INFO) << "Falling back to standard signature check. " << fsVerityCheck.error(); - } - +Result SepolicyVerify(const std::string& dir) { auto sepolicySignature = SepolicyCheckSignature(dir); if (!sepolicySignature.ok()) { return Error() << "Apex SEPolicy failed signature check"; @@ -698,23 +666,13 @@ void CleanupApexSepolicy() { // 6. Sets selinux into enforcing mode and continues normal booting. // void PrepareApexSepolicy() { - bool supportsFsVerity = access(kFsVerityProcPath, F_OK) == 0; - if (supportsFsVerity) { - auto loadSepolicyApexCerts = LoadSepolicyApexCerts(); - if (!loadSepolicyApexCerts.ok()) { - // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail - // to boot and not carry on. For now, fallback to a signature checkuntil the fsverity - // logic is implemented. - LOG(INFO) << loadSepolicyApexCerts.error(); - } - } // If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on // /system. auto dir = (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0) ? kSepolicyApexMetadataDir : kSepolicyApexSystemDir; - auto sepolicyVerify = SepolicyVerify(dir, supportsFsVerity); + auto sepolicyVerify = SepolicyVerify(dir); if (!sepolicyVerify.ok()) { LOG(INFO) << "Error: " << sepolicyVerify.error(); // If signature verification fails, fall back to version on /system.