add selinux rules for mini-keyctl
mini-keyctl is a binary used to load channel keys to .fsverity keyring.
This CL creates a new domain for mini-keyctl and a type for /proc/keys
and adds allow rules needed by this binary.
Bug: 112038861
Test: manual
Merged-In: I3b744d302859a02dfe63c81c7f33bb30912d7994
Change-Id: I3b744d302859a02dfe63c81c7f33bb30912d7994
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;