add selinux rules for mini-keyctl
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index e3bccd1..8fa1cd7 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_keys
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
diff --git a/private/file_contexts b/private/file_contexts
index 199c521..3f5df83 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -192,6 +192,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 756888d..4999d81 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;