2ebc63bef4
mini-keyctl is a binary used to load channel keys to .fsverity keyring. This CL creates a new domain for mini-keyctl and a type for /proc/keys and adds allow rules needed by this binary. Bug: 112038861 Test: manual Merged-In: I3b744d302859a02dfe63c81c7f33bb30912d7994 Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
17 lines
713 B
Text
17 lines
713 B
Text
type mini-keyctl, domain, coredomain;
|
|
type mini-keyctl_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(mini-keyctl)
|
|
|
|
allow mini-keyctl proc_keys:file r_file_perms;
|
|
|
|
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
|
|
dontaudit mini-keyctl init:key view;
|
|
dontaudit mini-keyctl vold:key view;
|
|
allow mini-keyctl kernel:key { view search write };
|
|
allow mini-keyctl mini-keyctl:key { view search write };
|
|
|
|
# When kernel requests an algorithm, the crypto API first looks for an
|
|
# already registered algorithm with that name. If it fails, the kernel creates
|
|
# an implementation of the algorithm from templates.
|
|
dontaudit mini-keyctl kernel:system module_request;
|