From 306f51061115f5f0aea05feb4db2e7a8d57825bf Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 18 Jul 2023 18:40:05 +0000 Subject: [PATCH] Remove fsverity_init SELinux rules Since the fsverity_init binary is being removed, remove the corresponding SELinux rules too. For now, keep the rule "allow domain kernel:key search", which existed to allow the fsverity keyring to be searched. It turns out to actually be needed for a bit more than that. We should be able to replace it with something more precise, but we need to be careful. Bug: 290064770 Test: Verified no SELinux denials when booting Cuttlefish Change-Id: I992b75808284cb8a3c26a84be548390193113668 --- private/domain.te | 14 +++++++++++--- private/file_contexts | 1 - private/fsverity_init.te | 21 --------------------- private/odsign.te | 7 ++----- 4 files changed, 13 insertions(+), 30 deletions(-) delete mode 100644 private/fsverity_init.te diff --git a/private/domain.te b/private/domain.te index 692c96294..662cdd6af 100644 --- a/private/domain.te +++ b/private/domain.te @@ -156,10 +156,18 @@ get_prop(domain, binder_cache_bluetooth_server_prop) get_prop(domain, binder_cache_system_server_prop) get_prop(domain, binder_cache_telephony_server_prop) -# Allow access to fsverity keyring. +# Allow searching the ".fs-verity" keyring. +# +# Note: Android no longer uses fsverity builtin signatures, which makes this +# rule mostly unnecessary. This rule can potentially still be invoked when +# opening a file with an fsverity builtin signature that exists on-disk from +# Android 13 or earlier, if the kernel hasn't updated to disable fsverity +# builtin signature support. Though, opening such a file fails regardless of +# whether SELinux allows the keyring lookup, as the keyring is now always empty. +# At the same time, some totally unrelated dependencies on this rule have crept +# in as well, for example init needs it to create the session keyring on Linux +# v5.3 and later. TODO(b/290064770) Replace this with more specific rules. allow domain kernel:key search; -# Allow access to keys in the fsverity keyring that were installed at boot. -allow domain fsverity_init:key search; # For testing purposes, allow access to keys installed with su. userdebug_or_eng(` allow domain su:key search; diff --git a/private/file_contexts b/private/file_contexts index 123e4ed9d..93449536f 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -238,7 +238,6 @@ /system/bin/init u:object_r:init_exec:s0 # TODO(/123600489): merge mini-keyctl into toybox /system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0 -/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0 /system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 diff --git a/private/fsverity_init.te b/private/fsverity_init.te deleted file mode 100644 index 2e5089c79..000000000 --- a/private/fsverity_init.te +++ /dev/null @@ -1,21 +0,0 @@ -type fsverity_init, domain, coredomain; -type fsverity_init_exec, exec_type, file_type, system_file_type; - -init_daemon_domain(fsverity_init) - -# Allow to read /proc/keys for searching key id. -allow fsverity_init proc_keys:file r_file_perms; - -# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. -dontaudit fsverity_init domain:key view; -allow fsverity_init kernel:key { view search write setattr }; -allow fsverity_init fsverity_init:key { view search write }; - -# Read the on-device signing certificate, to be able to add it to the keyring -allow fsverity_init odsign:fd use; -allow fsverity_init odsign_data_file:file { getattr read }; - -# When kernel requests an algorithm, the crypto API first looks for an -# already registered algorithm with that name. If it fails, the kernel creates -# an implementation of the algorithm from templates. -dontaudit fsverity_init kernel:system module_request; diff --git a/private/odsign.te b/private/odsign.te index f06795cc3..da1d9d61a 100644 --- a/private/odsign.te +++ b/private/odsign.te @@ -51,9 +51,6 @@ allow odsign apex_art_data_file:file { rw_file_perms unlink }; # Run odrefresh to refresh ART artifacts domain_auto_trans(odsign, odrefresh_exec, odrefresh) -# Run fsverity_init to add key to fsverity keyring -domain_auto_trans(odsign, fsverity_init_exec, fsverity_init) - # Run compos_verify to verify CompOs signatures domain_auto_trans(odsign, compos_verify_exec, compos_verify) @@ -65,5 +62,5 @@ neverallow { domain -odsign -init } odsign_prop:property_service set; set_prop(odsign, ctl_odsign_prop) # Neverallows -neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search; -neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *; +neverallow { domain -odsign -init } odsign_data_file:dir ~search; +neverallow { domain -odsign -init } odsign_data_file:file *;