Merge "encryptedstore - Create Selinux context & grant permissions"
This commit is contained in:
Shikha Panwar
Gerrit Code Review
commit
f447a0bf07
3 changed files with 33 additions and 0 deletions
28
microdroid/system/private/encryptedstore.te
Normal file
28
microdroid/system/private/encryptedstore.te
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
|
||||
|
||||
type encryptedstore, domain, coredomain;
|
||||
type encryptedstore_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# encryptedstore is using bootstrap bionic
|
||||
use_bootstrap_libs(encryptedstore)
|
||||
|
||||
# encryptedstore require access to block device directory to map dm-crypt
|
||||
r_dir_file(encryptedstore, block_device)
|
||||
|
||||
# encryptedstore accesses /dev/vd* block device file.
|
||||
allow encryptedstore vd_device:blk_file r_file_perms;
|
||||
|
||||
# allow encryptedstore to create dm-crypt devices
|
||||
allow encryptedstore dm_device:{chr_file blk_file} rw_file_perms;
|
||||
|
||||
# sys_admin is required to access the device-mapper and mount
|
||||
allow encryptedstore self:global_capability_class_set sys_admin;
|
||||
|
||||
# encryptedstore is forked from microdroid_manager
|
||||
allow encryptedstore microdroid_manager:fd use;
|
||||
|
||||
# allow encryptedstore to log to the kernel
|
||||
allow encryptedstore kmsg_device:chr_file w_file_perms;
|
||||
|
||||
# Only microdroid_manager can run encryptedstore
|
||||
neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
|
||||
|
|
@ -121,6 +121,7 @@
|
|||
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
|
||||
/system/bin/authfs u:object_r:authfs_exec:s0
|
||||
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
|
||||
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
|
||||
/system/bin/kexec_load u:object_r:kexec_exec:s0
|
||||
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
|
||||
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
|
||||
|
|
|
|||
|
|
@ -39,6 +39,9 @@ domain_auto_trans(microdroid_manager, compos_exec, compos)
|
|||
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
|
||||
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
|
||||
|
||||
# Allow microdroid_manager to start encryptedstore binary
|
||||
domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
|
||||
|
||||
# Allow microdroid_manager to run kexec to load crashkernel
|
||||
domain_auto_trans(microdroid_manager, kexec_exec, kexec)
|
||||
|
||||
|
|
@ -123,6 +126,7 @@ neverallow microdroid_manager {
|
|||
-crash_dump
|
||||
-microdroid_payload
|
||||
-apkdmverity
|
||||
-encryptedstore
|
||||
-zipfuse
|
||||
-kexec
|
||||
}:process transition;
|
||||
|
|
|
|||
Loading…
Reference in a new issue