08d4c8fa6e
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP policy, but slightly modified so the set of types and attributes is a subset of real 31.0 prebuilt (sc-dev policy). Steps taken to make the fake prebuilt: 1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target aosp_arm64-eng. 2) diff both outputs to find out which types and attributes don't exist. 3) remove all relevant files and statements. As a result, the following types are removed. artd artd_exec artd_service power_stats_service transformer_service virtualizationservice virtualizationservice_data_file virtualizationservice_exec Bug: 189161483 Test: N/A, will do after adding 31.0 mapping files. Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
25 lines
1.1 KiB
Text
25 lines
1.1 KiB
Text
type fsverity_init, domain, coredomain;
|
|
type fsverity_init_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(fsverity_init)
|
|
|
|
# Allow to read /proc/keys for searching key id.
|
|
allow fsverity_init proc_keys:file r_file_perms;
|
|
|
|
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
|
|
dontaudit fsverity_init init:key view;
|
|
dontaudit fsverity_init vold:key view;
|
|
allow fsverity_init kernel:key { view search write setattr };
|
|
allow fsverity_init fsverity_init:key { view search write };
|
|
|
|
# Allow init to write to /proc/sys/fs/verity/require_signatures
|
|
allow fsverity_init proc_fs_verity:file w_file_perms;
|
|
|
|
# Read the on-device signing certificate, to be able to add it to the keyring
|
|
allow fsverity_init odsign:fd use;
|
|
allow fsverity_init odsign_data_file:file { getattr read };
|
|
|
|
# When kernel requests an algorithm, the crypto API first looks for an
|
|
# already registered algorithm with that name. If it fails, the kernel creates
|
|
# an implementation of the algorithm from templates.
|
|
dontaudit fsverity_init kernel:system module_request;
|