Commit graph

7 commits

Author SHA1 Message Date
Martijn Coenen
6afdb72cbb SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
2021-02-03 16:15:48 +01:00
Victor Hsieh
f6756b9fb3 Remove unused sepolicy by fsverity_init
Keystore access was reverted a while ago in ag/10598373.

Bug: 112038744
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
Test: atest GtsPlayFsiTestCases GtsPlayFsiHostTestCases ApkVerityTest
Change-Id: Ic170624f5a718806adf54ab12e8f4b9f17c7775b
2020-05-28 17:58:16 -07:00
Treehugger Robot
b7098cb480 Merge "Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"" 2019-11-21 22:27:37 +00:00
Victor Hsieh
7a4064c5ee Revert "sepolicy: dontaudit cap_sys_admin on userdebug/eng"
Reason for revert: Kernel fix has been backported to coral kernel.

Bug: 132323675
Change-Id: Ie797e5cf212b15c6fff34d2a096ac96de31ce627
2019-11-21 18:37:52 +00:00
Victor Hsieh
369d35d531 Allow fsverity_init to load key from keystore
Also, since fsverity_init has been rewriten in C++, shell execution is no
longer needed.

Test: no denial is generated
Bug: 112038744
Change-Id: I7e409cadd68cb6d5d8557a126a3b9e78063190be
2019-09-26 11:05:20 -07:00
Victor Hsieh
b7f2f0b878 sepolicy: dontaudit cap_sys_admin on userdebug/eng
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:

avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0

This is due to some internal access to an xattr inside overlayfs, but it
should not report this.

Before the message can be surpressed, dontaudit it to keep the log clean.

Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89
2019-08-29 09:39:31 -07:00
Victor Hsieh
3d4ee1dba5 Move fs-verity key loading into fsverity_init domain
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading.  Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.

This gives us two benefits:
 - Better compatibility to keyctl(1), which doesn't have "dadd"
 - Pave the way to specify key's security labels, since keyctl(1)
   doesn't support, and we want to avoid adding incompatible option.

Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
2019-03-27 16:31:01 +00:00