platform_system_sepolicy/private/fsverity_init.te

type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;

init_daemon_domain(fsverity_init)

# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;

# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };

# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;

# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };

# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;
Move fs-verity key loading into fsverity_init domain fsverity_init is a new shell script that uses mini-keyctl for the actual key loading. Given the plan to implement keyctl in toybox, we label mini-keyctl as u:object_r:toolbox_exec:s0. This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: Boot without SELinux denial Test: After boot, see the key in /product loaded Bug: 128607724 Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0 2019-03-15 19:15:31 +01:00			`type fsverity_init, domain, coredomain;`
			`type fsverity_init_exec, exec_type, file_type, system_file_type;`

			`init_daemon_domain(fsverity_init)`

			`# Allow to read /proc/keys for searching key id.`
			`allow fsverity_init proc_keys:file r_file_perms;`

Don't audit fsverity_init's view to domain:key Like the existing dontaudit, fsverity_init shouldn't need to view unrelevant keys. Bug: 193474772 Test: m Change-Id: I177bacdb89d0ed967cae84f109a5e841f2e7349f 2021-07-13 21:21:54 +02:00			`# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.`
			`dontaudit fsverity_init domain:key view;`
Move fs-verity key loading into fsverity_init domain fsverity_init is a new shell script that uses mini-keyctl for the actual key loading. Given the plan to implement keyctl in toybox, we label mini-keyctl as u:object_r:toolbox_exec:s0. This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: Boot without SELinux denial Test: After boot, see the key in /product loaded Bug: 128607724 Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0 2019-03-15 19:15:31 +01:00			`allow fsverity_init kernel:key { view search write setattr };`
			`allow fsverity_init fsverity_init:key { view search write };`

			`# Allow init to write to /proc/sys/fs/verity/require_signatures`
			`allow fsverity_init proc_fs_verity:file w_file_perms;`

SELinux policy for on-device signing binary. Bug: 165630556 Test: no denials on boot Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3 2020-11-27 12:23:54 +01:00			`# Read the on-device signing certificate, to be able to add it to the keyring`
			`allow fsverity_init odsign:fd use;`
			`allow fsverity_init odsign_data_file:file { getattr read };`

Move fs-verity key loading into fsverity_init domain fsverity_init is a new shell script that uses mini-keyctl for the actual key loading. Given the plan to implement keyctl in toybox, we label mini-keyctl as u:object_r:toolbox_exec:s0. This gives us two benefits: - Better compatibility to keyctl(1), which doesn't have "dadd" - Pave the way to specify key's security labels, since keyctl(1) doesn't support, and we want to avoid adding incompatible option. Test: Boot without SELinux denial Test: After boot, see the key in /product loaded Bug: 128607724 Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0 2019-03-15 19:15:31 +01:00			`# When kernel requests an algorithm, the crypto API first looks for an`
			`# already registered algorithm with that name. If it fails, the kernel creates`
			`# an implementation of the algorithm from templates.`
			`dontaudit fsverity_init kernel:system module_request;`