Revert "Remove fsverity_init SELinux rules"

Revert submission 2662658-fsverity-init-cleanup

Reason for revert: Culprit for test breakage b/293232766

Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup

Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3

private/domain.te

@@ -156,18 +156,10 @@ get_prop(domain, binder_cache_bluetooth_server_prop)
 get_prop(domain, binder_cache_system_server_prop)
 get_prop(domain, binder_cache_telephony_server_prop)
 
-# Allow searching the ".fs-verity" keyring.
-#
-# Note: Android no longer uses fsverity builtin signatures, which makes this
-# rule mostly unnecessary.  This rule can potentially still be invoked when
-# opening a file with an fsverity builtin signature that exists on-disk from
-# Android 13 or earlier, if the kernel hasn't updated to disable fsverity
-# builtin signature support.  Though, opening such a file fails regardless of
-# whether SELinux allows the keyring lookup, as the keyring is now always empty.
-# At the same time, some totally unrelated dependencies on this rule have crept
-# in as well, for example init needs it to create the session keyring on Linux
-# v5.3 and later.  TODO(b/290064770) Replace this with more specific rules.
+# Allow access to fsverity keyring.
 allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain fsverity_init:key search;
 # For testing purposes, allow access to keys installed with su.
 userdebug_or_eng(`
   allow domain su:key search;

private/file_contexts

@@ -238,6 +238,7 @@
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init	u:object_r:fsverity_init_exec:s0
 /system/bin/sload_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/make_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0

private/fsverity_init.te

@@ -0,0 +1,21 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;

private/odsign.te

@@ -51,6 +51,9 @@ allow odsign apex_art_data_file:file { rw_file_perms unlink };
 # Run odrefresh to refresh ART artifacts
 domain_auto_trans(odsign, odrefresh_exec, odrefresh)
 
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
 # Run compos_verify to verify CompOs signatures
 domain_auto_trans(odsign, compos_verify_exec, compos_verify)
 
@@ -62,5 +65,5 @@ neverallow { domain -odsign -init } odsign_prop:property_service set;
 set_prop(odsign, ctl_odsign_prop)
 
 # Neverallows
-neverallow { domain -odsign -init } odsign_data_file:dir ~search;
-neverallow { domain -odsign -init } odsign_data_file:file *;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;