39f497013c
Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
69 lines
2 KiB
Text
69 lines
2 KiB
Text
# odsign - on-device signing.
|
|
type odsign, domain;
|
|
|
|
# odsign - Binary for signing ART artifacts.
|
|
typeattribute odsign coredomain;
|
|
|
|
type odsign_exec, exec_type, file_type, system_file_type;
|
|
|
|
# Allow init to start odsign
|
|
init_daemon_domain(odsign)
|
|
|
|
# Allow using persistent storage in /data/odsign
|
|
allow odsign odsign_data_file:dir create_dir_perms;
|
|
allow odsign odsign_data_file:file create_file_perms;
|
|
|
|
# Create and use pty created by android_fork_execvp().
|
|
create_pty(odsign)
|
|
|
|
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
|
|
allowxperm odsign apex_art_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
|
|
};
|
|
|
|
# talk to binder services (for keystore)
|
|
binder_use(odsign);
|
|
|
|
# talk to keystore specifically
|
|
use_keystore(odsign);
|
|
|
|
# Use our dedicated keystore key
|
|
allow odsign odsign_key:keystore2_key {
|
|
delete
|
|
get_info
|
|
rebind
|
|
use
|
|
};
|
|
|
|
# talk to keymaster
|
|
hal_client_domain(odsign, hal_keymaster)
|
|
|
|
# For ART apex data dir access
|
|
allow odsign apex_module_data_file:dir { getattr search };
|
|
|
|
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
|
|
allow odsign apex_art_data_file:file { rw_file_perms unlink };
|
|
|
|
# For CompOS instance & key files
|
|
allow odsign apex_compos_data_file:dir { getattr search };
|
|
allow odsign apex_compos_data_file:file r_file_perms;
|
|
|
|
# Run odrefresh to refresh ART artifacts
|
|
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
|
|
|
|
# Run fsverity_init to add key to fsverity keyring
|
|
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
|
|
|
|
# Run compos_verify_key to verify CompOs instances
|
|
domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
|
|
|
|
# only odsign can set odsign sysprop
|
|
set_prop(odsign, odsign_prop)
|
|
neverallow { domain -odsign -init } odsign_prop:property_service set;
|
|
|
|
# Allow odsign to stop itself
|
|
set_prop(odsign, ctl_odsign_prop)
|
|
|
|
# Neverallows
|
|
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
|
|
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
|