commit 01147a70f40bc5388f3ec2e765ff30cee107d7b6
author Andreas Gampe <agampe@google.com> Wed Mar 13 18:19:03 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 13 18:19:03 2019 +0000
tree eb03de79ca2933c0058d6ac97039fb5a6fa69691
parent e5667b30d54ebca6375fe2cd51cc000806dec7fc
parent 1845b406fc3ccfa5d63a3aa4dfa174391dac19bf

Merge "Sepolicy: ART APEX boot integrity"

private/art_apex_boot_integrity.te

diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
new file mode 100644
index 0000000..14feee6
--- /dev/null
+++ b/private/art_apex_boot_integrity.te
@@ -0,0 +1,34 @@
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type art_apex_boot_integrity, domain, coredomain;
+type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# art_apex_boot_integrity to occur.
+init_daemon_domain(art_apex_boot_integrity)
+
+# Read dalvik cache directories, remove entries.
+allow art_apex_boot_integrity dalvikcache_data_file:dir  { r_dir_perms write remove_name };
+# Read and possibly delete dalvik cache files.
+allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
+
+# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
+allow art_apex_boot_integrity shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
+# permissions.
+allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_boot_integrity system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_boot_integrity ota_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_boot_integrity kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+  allow art_apex_boot_integrity su:key search;
+')

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 3b340c5..d6b233f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -221,6 +221,7 @@
   -dex2oat
   -otapreopt_slot
   -art_apex_postinstall
+  -art_apex_boot_integrity
 } dalvikcache_data_file:file no_w_file_perms;
 
 neverallow {
@@ -232,6 +233,7 @@
   -dex2oat
   -zygote
   -otapreopt_slot
+  -art_apex_boot_integrity
   -art_apex_postinstall
 } dalvikcache_data_file:dir no_w_dir_perms;
 

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 9625acc..f81f399 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
 /system/bin/otapreopt_slot   u:object_r:otapreopt_slot_exec:s0
+/system/bin/art_apex_boot_integrity   u:object_r:art_apex_boot_integrity_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0