Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked. Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary. Their presence or absence makes no difference.
Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.
For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched. It turns out to actually
be needed for a bit more than that. We should be able to replace it
with something more precise, but we need to be careful.
Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
Like the existing dontaudit, fsverity_init shouldn't need to view
unrelevant keys.
Bug: 193474772
Test: m
Change-Id: I177bacdb89d0ed967cae84f109a5e841f2e7349f
Keystore access was reverted a while ago in ag/10598373.
Bug: 112038744
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
Test: atest GtsPlayFsiTestCases GtsPlayFsiHostTestCases ApkVerityTest
Change-Id: Ic170624f5a718806adf54ab12e8f4b9f17c7775b
Also, since fsverity_init has been rewriten in C++, shell execution is no
longer needed.
Test: no denial is generated
Bug: 112038744
Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:
avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0
This is due to some internal access to an xattr inside overlayfs, but it
should not report this.
Before the message can be surpressed, dontaudit it to keep the log clean.
Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
