Grant compos permissions for signing
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.
(But it no longer needs to create any directories, so removed that.)
Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 7866b20..7570558 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -19,20 +19,13 @@
use
};
-# Although the compos should not really read/write the FD on authfs_fuse, this
-# is apparently required for the binder driver to pass the FDs to compos from
-# authfs_service.
-allow compos authfs_fuse:file { read write };
-
-# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
-# metadata. See b/196635431.
-allow compos authfs_fuse:file getattr;
-
-# Allow creating the odrefresh output directory in authfs.
-allow compos authfs_fuse:dir create_dir_perms;
+# Read artifacts created by odrefresh and create signature files.
+# (Also receive and pass on open FDs to odrefresh.)
+allow compos authfs_fuse:dir rw_dir_perms;
+allow compos authfs_fuse:file create_file_perms;
# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir { search };
+allow compos authfs_data_file:dir search;
# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.