Merge "SELinux policy for on-device signing binary."

2021-02-05 11:22:37 +00:00 · 2021-02-05 11:22:37 +00:00 · 9e794114b2
commit 9e794114b2
parent 0f01076482 6afdb72cbb
8 changed files with 63 additions and 0 deletions
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -60,6 +60,9 @@
    nfc_logs_data_file
    odrefresh
    odrefresh_exec
+    odsign
+    odsign_data_file
+    odsign_exec
    people_service
    persist_vendor_debug_wifi_prop
    power_debug_prop
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@ -38,6 +38,10 @@ allow dex2oat apex_module_data_file:dir search;
 # Allow dex2oat to use file descriptors passed from odrefresh.
 allow dex2oat odrefresh:fd use;

+# Allow dex2oat to use devpts and file descriptors passed from odsign
+allow dex2oat odsign_devpts:chr_file { read write };
+allow dex2oat odsign:fd use;
+
 # Allow dex2oat to write to file descriptors from odrefresh for files
 # in the staging area.
 allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
--- a/private/domain.te
+++ b/private/domain.te
@ -277,6 +277,7 @@ neverallow {
  domain
  # art processes
  -odrefresh
+  -odsign
  # others
  -apexd
  -init
@ -287,6 +288,7 @@ neverallow {
  domain
  # art processes
  -odrefresh
+  -odsign
  # others
  -apexd
  -init
--- a/private/file.te
+++ b/private/file.te
@ -44,3 +44,6 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;

 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign
+type odsign_data_file, file_type, data_file_type, core_data_file_type;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -363,6 +363,7 @@
 /system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 /system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
 /system/bin/snapuserd            u:object_r:snapuserd_exec:s0
+/system/bin/odsign               u:object_r:odsign_exec:s0

 #############################
 # Vendor files
@ -588,6 +589,7 @@
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
 /data/misc/nfc/logs(/.*)?       u:object_r:nfc_logs_data_file:s0
+/data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
 /data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
 /data/misc/perfetto-configs(/.*)?         u:object_r:perfetto_configs_data_file:s0
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@ -15,6 +15,10 @@ allow fsverity_init fsverity_init:key { view search write };
 # Allow init to write to /proc/sys/fs/verity/require_signatures
 allow fsverity_init proc_fs_verity:file w_file_perms;

+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
 # When kernel requests an algorithm, the crypto API first looks for an
 # already registered algorithm with that name. If it fails, the kernel creates
 # an implementation of the algorithm from templates.
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@ -18,6 +18,10 @@ domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)

+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
 # Do not audit unused resources from parent processes (adb, shell, su).
 # These appear to be unnecessary for odrefresh.
 dontaudit odrefresh { adbd shell }:fd use;
--- a/private/odsign.te
+++ b/private/odsign.te
@ -0,0 +1,41 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;