0b3d56d35f
LOOP_CONFIGURE is more efficient than LOOP_SET_FD/SET_STATUS64. apkdmverity has used the latter because LOOP_CONFIGURE didn't work for loop-mounting IDSIG file. apkdmverity can use LOOP_CONFIGURE and enabling DIRECT_IO only when necessary. Bug: 191344832 Test: atest MicrodroidTestApp Change-Id: I9503f17a689e2447acee1f6ef9c2aac53cf3c457
39 lines
1.5 KiB
Text
39 lines
1.5 KiB
Text
# apkdmverity is a program that protects a signed APK file using dm-verity.
|
|
|
|
type apkdmverity, domain, coredomain;
|
|
type apkdmverity_exec, exec_type, file_type, system_file_type;
|
|
|
|
# apkdmverity is using bootstrap bionic
|
|
use_bootstrap_libs(apkdmverity)
|
|
|
|
# apkdmverity accesses "payload metadata disk" which points to
|
|
# a /dev/vd* block device file.
|
|
allow apkdmverity block_device:dir r_dir_perms;
|
|
allow apkdmverity block_device:lnk_file r_file_perms;
|
|
allow apkdmverity vd_device:blk_file r_file_perms;
|
|
|
|
# allow apkdmverity to create dm-verity devices
|
|
allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
|
|
# sys_admin is required to access the device-mapper and mount
|
|
allow apkdmverity self:global_capability_class_set sys_admin;
|
|
|
|
# allow apkdmverity to create loop devices with /dev/loop-control
|
|
allow apkdmverity loop_control_device:chr_file rw_file_perms;
|
|
|
|
# allow apkdmverity to read the roothash passed from microdroid_manager
|
|
get_prop(apkdmverity, microdroid_manager_roothash_prop)
|
|
|
|
# allow apkdmverity to access loop devices
|
|
allow apkdmverity loop_device:blk_file rw_file_perms;
|
|
allowxperm apkdmverity loop_device:blk_file ioctl {
|
|
LOOP_CONFIGURE
|
|
};
|
|
|
|
# allow apkdmverity to log to the kernel
|
|
allow apkdmverity kmsg_device:chr_file w_file_perms;
|
|
|
|
# apkdmverity is forked from microdroid_manager
|
|
allow apkdmverity microdroid_manager:fd use;
|
|
|
|
# Only microdroid_manager can run apkdmverity
|
|
neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };
|