b7f2f0b878
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:
avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0
This is due to some internal access to an xattr inside overlayfs, but it
should not report this.
Before the message can be surpressed, dontaudit it to keep the log clean.
Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89
30 lines
1.2 KiB
Text
30 lines
1.2 KiB
Text
type fsverity_init, domain, coredomain;
|
|
type fsverity_init_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(fsverity_init)
|
|
|
|
# Allow this shell script to run and execute toybox
|
|
allow fsverity_init shell_exec:file rx_file_perms;
|
|
allow fsverity_init toolbox_exec:file rx_file_perms;
|
|
|
|
# Allow to read /proc/keys for searching key id.
|
|
allow fsverity_init proc_keys:file r_file_perms;
|
|
|
|
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
|
|
dontaudit fsverity_init init:key view;
|
|
dontaudit fsverity_init vold:key view;
|
|
allow fsverity_init kernel:key { view search write setattr };
|
|
allow fsverity_init fsverity_init:key { view search write };
|
|
|
|
# Allow init to write to /proc/sys/fs/verity/require_signatures
|
|
allow fsverity_init proc_fs_verity:file w_file_perms;
|
|
|
|
# When kernel requests an algorithm, the crypto API first looks for an
|
|
# already registered algorithm with that name. If it fails, the kernel creates
|
|
# an implementation of the algorithm from templates.
|
|
dontaudit fsverity_init kernel:system module_request;
|
|
|
|
# TODO(b/132323675): remove once kernel bug is fixed.
|
|
userdebug_or_eng(`
|
|
dontaudit fsverity_init self:capability sys_admin;
|
|
')
|