Merge "Revert "Remove fsverity_init SELinux rules"" into main am: dfe3906e7b
am: 9def335a7e
am: 5be91be28c
am: 82154bc9df
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2676759 Change-Id: I3bae25b58c3d158c0c8f812936551ecd59ce5044 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
4e7f9b6963
4 changed files with 30 additions and 13 deletions
|
@ -156,18 +156,10 @@ get_prop(domain, binder_cache_bluetooth_server_prop)
|
|||
get_prop(domain, binder_cache_system_server_prop)
|
||||
get_prop(domain, binder_cache_telephony_server_prop)
|
||||
|
||||
# Allow searching the ".fs-verity" keyring.
|
||||
#
|
||||
# Note: Android no longer uses fsverity builtin signatures, which makes this
|
||||
# rule mostly unnecessary. This rule can potentially still be invoked when
|
||||
# opening a file with an fsverity builtin signature that exists on-disk from
|
||||
# Android 13 or earlier, if the kernel hasn't updated to disable fsverity
|
||||
# builtin signature support. Though, opening such a file fails regardless of
|
||||
# whether SELinux allows the keyring lookup, as the keyring is now always empty.
|
||||
# At the same time, some totally unrelated dependencies on this rule have crept
|
||||
# in as well, for example init needs it to create the session keyring on Linux
|
||||
# v5.3 and later. TODO(b/290064770) Replace this with more specific rules.
|
||||
# Allow access to fsverity keyring.
|
||||
allow domain kernel:key search;
|
||||
# Allow access to keys in the fsverity keyring that were installed at boot.
|
||||
allow domain fsverity_init:key search;
|
||||
# For testing purposes, allow access to keys installed with su.
|
||||
userdebug_or_eng(`
|
||||
allow domain su:key search;
|
||||
|
|
|
@ -239,6 +239,7 @@
|
|||
/system/bin/init u:object_r:init_exec:s0
|
||||
# TODO(/123600489): merge mini-keyctl into toybox
|
||||
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
|
||||
/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
|
||||
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
|
||||
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
|
||||
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
|
||||
|
|
21
private/fsverity_init.te
Normal file
21
private/fsverity_init.te
Normal file
|
@ -0,0 +1,21 @@
|
|||
type fsverity_init, domain, coredomain;
|
||||
type fsverity_init_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
init_daemon_domain(fsverity_init)
|
||||
|
||||
# Allow to read /proc/keys for searching key id.
|
||||
allow fsverity_init proc_keys:file r_file_perms;
|
||||
|
||||
# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
|
||||
dontaudit fsverity_init domain:key view;
|
||||
allow fsverity_init kernel:key { view search write setattr };
|
||||
allow fsverity_init fsverity_init:key { view search write };
|
||||
|
||||
# Read the on-device signing certificate, to be able to add it to the keyring
|
||||
allow fsverity_init odsign:fd use;
|
||||
allow fsverity_init odsign_data_file:file { getattr read };
|
||||
|
||||
# When kernel requests an algorithm, the crypto API first looks for an
|
||||
# already registered algorithm with that name. If it fails, the kernel creates
|
||||
# an implementation of the algorithm from templates.
|
||||
dontaudit fsverity_init kernel:system module_request;
|
|
@ -51,6 +51,9 @@ allow odsign apex_art_data_file:file { rw_file_perms unlink };
|
|||
# Run odrefresh to refresh ART artifacts
|
||||
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
|
||||
|
||||
# Run fsverity_init to add key to fsverity keyring
|
||||
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
|
||||
|
||||
# Run compos_verify to verify CompOs signatures
|
||||
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
|
||||
|
||||
|
@ -62,5 +65,5 @@ neverallow { domain -odsign -init } odsign_prop:property_service set;
|
|||
set_prop(odsign, ctl_odsign_prop)
|
||||
|
||||
# Neverallows
|
||||
neverallow { domain -odsign -init } odsign_data_file:dir ~search;
|
||||
neverallow { domain -odsign -init } odsign_data_file:file *;
|
||||
neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
|
||||
neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
|
||||
|
|
Loading…
Reference in a new issue