Commit graph

13 commits

Author SHA1 Message Date
Yunkai Lim
486fa9fb0a Revert "Remove fsverity_init SELinux rules"
Revert submission 2662658-fsverity-init-cleanup

Reason for revert: Culprit for test breakage b/293232766

Reverted changes: /q/submissionid:2662658-fsverity-init-cleanup

Change-Id: I941c28e44890edd0e06dcc896fbd5158d34fded3
2023-07-26 06:21:37 +00:00
Eric Biggers
306f510611 Remove fsverity_init SELinux rules
Since the fsverity_init binary is being removed, remove the
corresponding SELinux rules too.

For now, keep the rule "allow domain kernel:key search", which existed
to allow the fsverity keyring to be searched.  It turns out to actually
be needed for a bit more than that.  We should be able to replace it
with something more precise, but we need to be careful.

Bug: 290064770
Test: Verified no SELinux denials when booting Cuttlefish
Change-Id: I992b75808284cb8a3c26a84be548390193113668
2023-07-20 17:57:23 +00:00
Shikha Panwar
36daf98e45 Selinux setup for /data/misc/odsign/metrics/
odsign will be writing(metrics) to file
/data/misc/odsign/metrics/odsign-metrics.txt & system_server needs from it.

Test: adb pull /data/misc/odsign/metrics/odsign-metrics.txt after reboot
Bug: 202926606
Change-Id: I020efcee8ca7f5b81f1aa3374bbf2b3a7403186d
2022-04-07 14:18:37 +00:00
Alan Stokes
0c5449b193 Remove now-unused permissions
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.

Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
2022-02-22 17:40:05 +00:00
Alan Stokes
766caba5de Modify sepolicy for compos key changes
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.

Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.

Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
2022-02-17 12:14:40 +00:00
Alan Stokes
39f497013c SEPolicy for compos_verify_key.
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.

Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.

Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.

As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).

I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)

Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-03 16:31:02 +01:00
Alan Stokes
17ad9eb63e Allow odsign to rename & unlink CompOS files.
Write access is still denied.

Bug: 194654666
Test: No denials when testing odsign.
Change-Id: Ia9ca85e4008a1a69da0943793d310b974a8484db
2021-07-30 15:00:28 +01:00
Martijn Coenen
5f21a0fa92 Allow odsign to stop itself.
Carve out a label for the property, and allow odsign to set it.

Bug: 194334176
Test: no denials
Change-Id: I9dafefabc27c679ed9f36e617e824f44f3b16bbd
2021-07-28 10:50:35 +02:00
Alan Stokes
10fbf239b8 Add policy for CompOS APEX data files.
Grant access to odsign to read & delete pending key files. Eventually
we will grant the CompOS daemon write access.

Bug: 190166662
Test: Via odsign; no denials seen.
Change-Id: I6d3c3e5b2aec8ef65bd28cbb274d18263534ce66
2021-07-13 15:35:53 +01:00
Alan Stokes
b7fb7ae7c2 Allow odsign to rename apex_art_data_file:dir
This is needed to allow us to promote pending artifacts from compos to
active, otherwise we get:

odsign  : Can't rename /data/misc/apexdata/com.android.art/pending to /data/misc/apexdata/com.android.art/dalvik-cache: Permission denied
odsign  : type=1400 audit(0.0:9): avc: denied { rename } for name="pending" dev="dm-35" ino=14965 scontext=u:r:odsign:s0 tcontext=u:object_r:apex_art_data_file:s0 tclass=dir permissive=0

Test: Manual, running modified odsign with (bogus) pending artfiacts
Bug: 190166662
Change-Id: I3efafa62d3444f967c0b5eab5516a00daf64f8ef
2021-07-02 11:49:43 +01:00
Martijn Coenen
f2e4ee6498 Add odsign status properties.
These properties are used to communicate odsign status, and allow init
to evict keys and start zygote at the correct moments in time.

Bug: 165630556
Test: no denials from init/odsign
Change-Id: I813e5c1c93d6f00a251a9cce02d0b74e5372c1ce
2021-03-16 09:14:29 +01:00
Martijn Coenen
ca5699b877 Allow on-device signing daemon to talk to keystore.
And introduce a new SELinux key domain solely for use by the
on-device signing daemon.

Bug: 165630556
Test: no denials on boot
Change-Id: If0f6797d7326e98f169639169adec6460689f5ca
2021-02-04 11:56:24 +01:00
Martijn Coenen
6afdb72cbb SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
2021-02-03 16:15:48 +01:00