Blame - microdroid/sepolicy/system/private/odsign.te - android_packages_modules_Virtualization

blob: 0ff3b7b7713d7f925d3437fe3124646acbe0898b [file] [log] [blame]

Inseob Kim	ff43be2	2021-06-07 16:56:56 +0900	[diff] [blame]	1	# odsign - on-device signing.
				2	type odsign, domain;
				3
				4	# odsign - Binary for signing ART artifacts.
				5	typeattribute odsign coredomain;
				6
				7	type odsign_exec, exec_type, file_type, system_file_type;
				8
				9	# Allow init to start odsign
				10	init_daemon_domain(odsign)
				11
				12	# Allow using persistent storage in /data/odsign
				13	allow odsign odsign_data_file:dir create_dir_perms;
				14	allow odsign odsign_data_file:file create_file_perms;
				15
				16	# Create and use pty created by android_fork_execvp().
				17	create_pty(odsign)
				18
				19	# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
				20	allowxperm odsign apex_art_data_file:file ioctl {
				21	FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
				22	};
				23
				24	# talk to binder services (for keystore)
				25	binder_use(odsign);
				26
				27	# talk to keystore specifically
				28	use_keystore(odsign);
				29
				30	# Use our dedicated keystore key
				31	allow odsign odsign_key:keystore2_key {
				32	delete
				33	get_info
				34	rebind
				35	use
				36	};
				37
				38	# talk to keymaster
				39	hal_client_domain(odsign, hal_keymaster)
				40
				41	# For ART apex data dir access
				42	allow odsign apex_module_data_file:dir { getattr search };
				43
				44	allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
				45	allow odsign apex_art_data_file:file { rw_file_perms unlink };
				46
				47	# Run odrefresh to refresh ART artifacts
				48	domain_auto_trans(odsign, odrefresh_exec, odrefresh)
				49
				50	# Run fsverity_init to add key to fsverity keyring
				51	domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
				52
				53	# only odsign can set odsign sysprop
				54	set_prop(odsign, odsign_prop)
				55	neverallow { domain -odsign -init } odsign_prop:property_service set;
				56
				57	# Neverallows
				58	neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
				59	neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;