Merge "Modify sepolicy for compos key changes"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
5273f3a486
12 changed files with 73 additions and 29 deletions
|
|
@ -1,4 +1,5 @@
|
|||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/compsvc u:object_r:compos_exec:s0
|
||||
/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
|
||||
/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0
|
||||
/bin/compos_verify u:object_r:compos_verify_exec:s0
|
||||
/bin/composd u:object_r:composd_exec:s0
|
||||
/bin/compsvc u:object_r:compos_exec:s0
|
||||
|
|
|
|||
|
|
@ -30,5 +30,10 @@ dontaudit compos self:dir write;
|
|||
# See b/35323867#comment3
|
||||
dontaudit compos self:global_capability_class_set dac_override;
|
||||
|
||||
# Allow domain transition into odrefresh.
|
||||
# Allow running odrefresh in its own domain
|
||||
domain_auto_trans(compos, odrefresh_exec, odrefresh)
|
||||
|
||||
# Allow running compos_key_helper in its own domain
|
||||
domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
|
||||
# And killing it on error
|
||||
allow compos compos_key_helper:process sigkill;
|
||||
|
|
|
|||
20
microdroid/system/private/compos_key_helper.te
Normal file
20
microdroid/system/private/compos_key_helper.te
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# Helper process for compos to perform key derivation & signing
|
||||
type compos_key_helper, domain, coredomain;
|
||||
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# This domain has access to DICE secrets & the private signing key.
|
||||
# Block crash dumps to ensure the secrets are not leaked.
|
||||
typeattribute compos_key_helper no_crash_dump_domain;
|
||||
|
||||
# Allow using DICE binder service
|
||||
binder_use(compos_key_helper);
|
||||
allow compos_key_helper dice_node_service:service_manager find;
|
||||
binder_call(compos_key_helper, diced);
|
||||
allow compos_key_helper diced:diced { get_attestation_chain derive };
|
||||
|
||||
# Communicate with compos via stdin/stdout pipes
|
||||
allow compos_key_helper compos:fd use;
|
||||
allow compos_key_helper compos:fifo_file { getattr read write };
|
||||
|
||||
# Write to /dev/kmsg.
|
||||
allow compos_key_helper kmsg_device:chr_file rw_file_perms;
|
||||
|
|
@ -1,6 +1,9 @@
|
|||
type diced, domain, coredomain;
|
||||
type diced_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Block crash dumps to ensure the DICE secrets are not leaked.
|
||||
typeattribute diced no_crash_dump_domain;
|
||||
|
||||
# diced can be started by init
|
||||
init_daemon_domain(diced)
|
||||
|
||||
|
|
|
|||
|
|
@ -263,9 +263,7 @@ allow domain kernel:key search;
|
|||
|
||||
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
||||
# This occurs when the process crashes.
|
||||
# We do not apply this to the su domain to avoid interfering with
|
||||
# tests (b/114136122)
|
||||
domain_auto_trans(domain, crash_dump_exec, crash_dump);
|
||||
domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
|
||||
allow domain crash_dump:process sigchld;
|
||||
|
||||
# Properties that microdroid doesn't have but some still want to read.
|
||||
|
|
@ -605,3 +603,7 @@ neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
|||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
|
||||
|
||||
# These domains must not be crash dumped
|
||||
neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
|
||||
neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
|
||||
|
|
|
|||
|
|
@ -373,3 +373,6 @@ attribute fusefs_type;
|
|||
|
||||
# All types run from microdroid_manager as a payload
|
||||
attribute microdroid_payload;
|
||||
|
||||
# Domains that are blocked from producing a crash dump
|
||||
attribute no_crash_dump_domain;
|
||||
|
|
|
|||
3
microdroid/vendor/hal_dice_default.te
vendored
3
microdroid/vendor/hal_dice_default.te
vendored
|
|
@ -1,6 +1,9 @@
|
|||
type hal_dice_default, domain;
|
||||
hal_server_domain(hal_dice_default, hal_dice)
|
||||
|
||||
# Block crash dumps to ensure the DICE secrets are not leaked.
|
||||
typeattribute hal_dice_default no_crash_dump_domain;
|
||||
|
||||
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_dice_default)
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
type compos_exec, exec_type, file_type, system_file_type;
|
||||
23
private/compos_verify.te
Normal file
23
private/compos_verify.te
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# Run by odsign to verify a CompOS signature
|
||||
type compos_verify, domain, coredomain;
|
||||
type compos_verify_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# Start a VM
|
||||
binder_use(compos_verify);
|
||||
virtualizationservice_use(compos_verify);
|
||||
|
||||
# Access instance image files
|
||||
allow compos_verify apex_module_data_file:dir search;
|
||||
r_dir_file(compos_verify, apex_compos_data_file)
|
||||
|
||||
# Read CompOS info & signature files
|
||||
allow compos_verify apex_art_data_file:dir search;
|
||||
allow compos_verify apex_art_data_file:file r_file_perms;
|
||||
|
||||
# Allow odsign to redirect our stdout/stderr to log
|
||||
allow compos_verify odsign:fd use;
|
||||
allow compos_verify odsign_devpts:chr_file { read write };
|
||||
|
||||
# Only odsign can enter the domain via exec
|
||||
neverallow { domain -odsign } compos_verify:process transition;
|
||||
neverallow * compos_verify:process dyntransition;
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# Run by odsign to verify a CompOs instance's keys.
|
||||
type compos_verify_key, domain, coredomain;
|
||||
|
||||
type compos_verify_key_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
binder_use(compos_verify_key);
|
||||
virtualizationservice_use(compos_verify_key);
|
||||
|
||||
# Access the image & key files, delete on failure, rename pending to current
|
||||
allow compos_verify_key apex_module_data_file:dir search;
|
||||
allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
|
||||
allow compos_verify_key apex_compos_data_file:file create_file_perms;
|
||||
|
||||
# Allow odsign to redirect our stdout/stderr to log
|
||||
allow compos_verify_key odsign:fd use;
|
||||
allow compos_verify_key odsign_devpts:chr_file { read write };
|
||||
|
||||
# Only odsign can enter the domain via exec
|
||||
neverallow { domain -odsign } compos_verify_key:process transition;
|
||||
neverallow * compos_verify_key:process dyntransition;
|
||||
|
|
@ -88,6 +88,11 @@ type kvm_device, dev_type;
|
|||
# /apex/com.android.virt/bin/fd_server
|
||||
type fd_server_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# /apex/com.android.compos/bin/compsvc
|
||||
type compos_exec, exec_type, file_type, system_file_type;
|
||||
# /apex/com.android.compos/bin/compos_key_helper
|
||||
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# /metadata/sepolicy
|
||||
type sepolicy_metadata_file, file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -54,8 +54,8 @@ domain_auto_trans(odsign, odrefresh_exec, odrefresh)
|
|||
# Run fsverity_init to add key to fsverity keyring
|
||||
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
|
||||
|
||||
# Run compos_verify_key to verify CompOs instances
|
||||
domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
|
||||
# Run compos_verify to verify CompOs signatures
|
||||
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
|
||||
|
||||
# only odsign can set odsign sysprop
|
||||
set_prop(odsign, odsign_prop)
|
||||
|
|
|
|||
Loading…
Reference in a new issue