From 486fa9fb0a53f9ce6edb04295f4bec8b0acca0cb Mon Sep 17 00:00:00 2001 From: Yunkai Lim Date: Wed, 26 Jul 2023 06:21:30 +0000 Subject: [PATCH] Revert "Remove fsverity_init SELinux rules" Revert submission 2662658-fsverity-init-cleanup Reason for revert: Culprit for test breakage b/293232766 Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3 --- private/domain.te | 14 +++----------- private/file_contexts | 1 + private/fsverity_init.te | 21 +++++++++++++++++++++ private/odsign.te | 7 +++++-- 4 files changed, 30 insertions(+), 13 deletions(-) create mode 100644 private/fsverity_init.te diff --git a/private/domain.te b/private/domain.te index 662cdd6af..692c96294 100644 --- a/private/domain.te +++ b/private/domain.te @@ -156,18 +156,10 @@ get_prop(domain, binder_cache_bluetooth_server_prop) get_prop(domain, binder_cache_system_server_prop) get_prop(domain, binder_cache_telephony_server_prop) -# Allow searching the ".fs-verity" keyring. -# -# Note: Android no longer uses fsverity builtin signatures, which makes this -# rule mostly unnecessary. This rule can potentially still be invoked when -# opening a file with an fsverity builtin signature that exists on-disk from -# Android 13 or earlier, if the kernel hasn't updated to disable fsverity -# builtin signature support. Though, opening such a file fails regardless of -# whether SELinux allows the keyring lookup, as the keyring is now always empty. -# At the same time, some totally unrelated dependencies on this rule have crept -# in as well, for example init needs it to create the session keyring on Linux -# v5.3 and later. TODO(b/290064770) Replace this with more specific rules. +# Allow access to fsverity keyring. allow domain kernel:key search; +# Allow access to keys in the fsverity keyring that were installed at boot. +allow domain fsverity_init:key search; # For testing purposes, allow access to keys installed with su. userdebug_or_eng(` allow domain su:key search; diff --git a/private/file_contexts b/private/file_contexts index 93449536f..123e4ed9d 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -238,6 +238,7 @@ /system/bin/init u:object_r:init_exec:s0 # TODO(/123600489): merge mini-keyctl into toybox /system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0 +/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0 /system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 diff --git a/private/fsverity_init.te b/private/fsverity_init.te new file mode 100644 index 000000000..2e5089c79 --- /dev/null +++ b/private/fsverity_init.te @@ -0,0 +1,21 @@ +type fsverity_init, domain, coredomain; +type fsverity_init_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(fsverity_init) + +# Allow to read /proc/keys for searching key id. +allow fsverity_init proc_keys:file r_file_perms; + +# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. +dontaudit fsverity_init domain:key view; +allow fsverity_init kernel:key { view search write setattr }; +allow fsverity_init fsverity_init:key { view search write }; + +# Read the on-device signing certificate, to be able to add it to the keyring +allow fsverity_init odsign:fd use; +allow fsverity_init odsign_data_file:file { getattr read }; + +# When kernel requests an algorithm, the crypto API first looks for an +# already registered algorithm with that name. If it fails, the kernel creates +# an implementation of the algorithm from templates. +dontaudit fsverity_init kernel:system module_request; diff --git a/private/odsign.te b/private/odsign.te index da1d9d61a..f06795cc3 100644 --- a/private/odsign.te +++ b/private/odsign.te @@ -51,6 +51,9 @@ allow odsign apex_art_data_file:file { rw_file_perms unlink }; # Run odrefresh to refresh ART artifacts domain_auto_trans(odsign, odrefresh_exec, odrefresh) +# Run fsverity_init to add key to fsverity keyring +domain_auto_trans(odsign, fsverity_init_exec, fsverity_init) + # Run compos_verify to verify CompOs signatures domain_auto_trans(odsign, compos_verify_exec, compos_verify) @@ -62,5 +65,5 @@ neverallow { domain -odsign -init } odsign_prop:property_service set; set_prop(odsign, ctl_odsign_prop) # Neverallows -neverallow { domain -odsign -init } odsign_data_file:dir ~search; -neverallow { domain -odsign -init } odsign_data_file:file *; +neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search; +neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;