tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/microdroid/system/private/encryptedstore.te
Shikha Panwar c6ff74a210 Encryptedstore/Selinux: Format the crypt device 
Add selinux policies required for formatting the crypt device.
1. Allow encryptedstore to execute mk2fs.
2. The execution will happen without domain transition - so add
   permissions related to formatting the device.
3. Allow encryptedstore to write on /dev/vd device - required to zero
   starting bits initially

Test: Run vm with --storage & --storage-size option
Bug: 241541860
Change-Id: I9766e3c67e47a58707beee8b3a156944e3b0a9ce
2022-11-22 17:42:01 +00:00

47 lines
1.8 KiB
Text
Raw Blame History

# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
type encryptedstore, domain, coredomain;
type encryptedstore_exec, exec_type, file_type, system_file_type;
# encryptedstore is using bootstrap bionic
use_bootstrap_libs(encryptedstore)
# encryptedstore require access to block device directory to map dm-crypt
r_dir_file(encryptedstore, block_device)
# encryptedstore accesses /dev/vd* block device file.
allow encryptedstore vd_device:blk_file rw_file_perms;
# allow encryptedstore to create dm-crypt devices
allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
# sys_admin is required to access the device-mapper and mount
allow encryptedstore self:global_capability_class_set sys_admin;
# encryptedstore is forked from microdroid_manager
allow encryptedstore microdroid_manager:fd use;
# For formatting encrypted storage device
allow encryptedstore e2fs_exec:file { rx_file_perms };
allowxperm encryptedstore dm_device:blk_file ioctl {
BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
};
# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
allow encryptedstore sysfs_fs_ext4_features:dir search;
allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
# encryptedstore to mount on /mnt/ directory
allow encryptedstore tmpfs:dir { add_name create mounton write };
# Unmount and mount filesystem
allow encryptedstore labeledfs:filesystem { mount unmount };
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
# Only microdroid_manager can run encryptedstore
neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
Reference in a new issue View git blame Copy permalink