59d5d90da8
Allow everyone to look for keys in the fsverity keyring. This is required to access fsverity-protected files, at all. This set of permissions is analogous to allowances for the fscrypt keyring and keys. Bug: 125474642 Test: m Test: manual Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
28 lines
1.2 KiB
Text
28 lines
1.2 KiB
Text
# This command set checks the integrity of boot classpath ART
|
|
# artifacts in /data, potentially removing them.
|
|
|
|
type art_apex_boot_integrity, domain, coredomain;
|
|
type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Technically not a daemon but we do want the transition from init domain to
|
|
# art_apex_boot_integrity to occur.
|
|
init_daemon_domain(art_apex_boot_integrity)
|
|
|
|
# Read dalvik cache directories, remove entries.
|
|
allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
|
|
# Read and possibly delete dalvik cache files.
|
|
allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
|
|
|
|
# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
|
|
allow art_apex_boot_integrity shell_exec:file rx_file_perms;
|
|
|
|
# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
|
|
# permissions.
|
|
allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
|
|
|
|
# Fsverity in the same domain.
|
|
allow art_apex_boot_integrity system_file:file execute_no_trans;
|
|
# Fsverity work.
|
|
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
};
|