448bd57181
Starting in Android 11, Android unconditionally disables kernel module autoloading (https://r.android.com/1254748) in such a way that even the SELinux permission does not get checked. Therefore, all the SELinux rules that allow or dontaudit the module_request permission are no longer necessary. Their presence or absence makes no difference. Bug: 130424539 Test: Booted Cuttlefish, no SELinux denials. Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
16 lines
661 B
Text
16 lines
661 B
Text
type fsverity_init, domain, coredomain;
|
|
type fsverity_init_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(fsverity_init)
|
|
|
|
# Allow to read /proc/keys for searching key id.
|
|
allow fsverity_init proc_keys:file r_file_perms;
|
|
|
|
# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
|
|
dontaudit fsverity_init domain:key view;
|
|
allow fsverity_init kernel:key { view search write setattr };
|
|
allow fsverity_init fsverity_init:key { view search write };
|
|
|
|
# Read the on-device signing certificate, to be able to add it to the keyring
|
|
allow fsverity_init odsign:fd use;
|
|
allow fsverity_init odsign_data_file:file { getattr read };
|