Merge "SELinux policy for on-device signing binary."

This commit is contained in:
Martijn Coenen 2021-02-05 11:22:37 +00:00 committed by Gerrit Code Review
commit 9e794114b2
8 changed files with 63 additions and 0 deletions

View file

@ -60,6 +60,9 @@
nfc_logs_data_file nfc_logs_data_file
odrefresh odrefresh
odrefresh_exec odrefresh_exec
odsign
odsign_data_file
odsign_exec
people_service people_service
persist_vendor_debug_wifi_prop persist_vendor_debug_wifi_prop
power_debug_prop power_debug_prop

View file

@ -38,6 +38,10 @@ allow dex2oat apex_module_data_file:dir search;
# Allow dex2oat to use file descriptors passed from odrefresh. # Allow dex2oat to use file descriptors passed from odrefresh.
allow dex2oat odrefresh:fd use; allow dex2oat odrefresh:fd use;
# Allow dex2oat to use devpts and file descriptors passed from odsign
allow dex2oat odsign_devpts:chr_file { read write };
allow dex2oat odsign:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files # Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area. # in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms; allow dex2oat apex_art_staging_data_file:dir r_dir_perms;

View file

@ -277,6 +277,7 @@ neverallow {
domain domain
# art processes # art processes
-odrefresh -odrefresh
-odsign
# others # others
-apexd -apexd
-init -init
@ -287,6 +288,7 @@ neverallow {
domain domain
# art processes # art processes
-odrefresh -odrefresh
-odsign
# others # others
-apexd -apexd
-init -init

View file

@ -44,3 +44,6 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
# /data/font/files # /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type; type font_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -363,6 +363,7 @@
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0 /system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0 /system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0 /system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
############################# #############################
# Vendor files # Vendor files
@ -588,6 +589,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0 /data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0 /data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0 /data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0 /data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0 /data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0

View file

@ -15,6 +15,10 @@ allow fsverity_init fsverity_init:key { view search write };
# Allow init to write to /proc/sys/fs/verity/require_signatures # Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms; allow fsverity_init proc_fs_verity:file w_file_perms;
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
# When kernel requests an algorithm, the crypto API first looks for an # When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates # already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates. # an implementation of the algorithm from templates.

View file

@ -18,6 +18,10 @@ domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
# Run dexoptanalyzer in its own sandbox. # Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer) domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
# Do not audit unused resources from parent processes (adb, shell, su). # Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh. # These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use; dontaudit odrefresh { adbd shell }:fd use;

41
private/odsign.te Normal file
View file

@ -0,0 +1,41 @@
# odsign - on-device signing.
type odsign, domain;
# odsign - Binary for signing ART artifacts.
typeattribute odsign coredomain;
type odsign_exec, exec_type, file_type, system_file_type;
# Allow init to start odsign
init_daemon_domain(odsign)
# Allow using persistent storage in /data/odsign
allow odsign odsign_data_file:dir create_dir_perms;
allow odsign odsign_data_file:file create_file_perms;
# Create and use pty created by android_fork_execvp().
create_pty(odsign)
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
allowxperm odsign apex_art_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
};
# talk to keymaster
hal_client_domain(odsign, hal_keymaster)
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;