Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff43be2ca9dcc80711fc14e0bfb847951f677243^! / . / microdroid / sepolicy / system / private / odsign.te
commitff43be2ca9dcc80711fc14e0bfb847951f677243[log] [tgz]
authorInseob Kim <inseob@google.com>Mon Jun 07 16:56:56 2021 +0900
committerInseob Kim <inseob@google.com>Mon Jun 07 18:44:35 2021 +0900
treebf5e839c17d58df2298c811dbf18624f24b48133
parentb50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]
Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

diff --git a/microdroid/sepolicy/system/private/odsign.te b/microdroid/sepolicy/system/private/odsign.te
new file mode 100644
index 0000000..0ff3b7b
--- /dev/null
+++ b/microdroid/sepolicy/system/private/odsign.te

@@ -0,0 +1,59 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+    delete
+    get_info
+    rebind
+    use
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# only odsign can set odsign sysprop
+set_prop(odsign, odsign_prop)
+neverallow { domain -odsign -init } odsign_prop:property_service set;
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;