Move fs-verity key loading into fsverity_init domain
fsverity_init is a new shell script that uses mini-keyctl for the actual
key loading. Given the plan to implement keyctl in toybox, we label
mini-keyctl as u:object_r:toolbox_exec:s0.
This gives us two benefits:
- Better compatibility to keyctl(1), which doesn't have "dadd"
- Pave the way to specify key's security labels, since keyctl(1)
doesn't support, and we want to avoid adding incompatible option.
Test: Boot without SELinux denial
Test: After boot, see the key in /product loaded
Bug: 128607724
Change-Id: Iebd7c9b3c7aa99ad56f74f557700fd85ec58e9d0
diff --git a/private/domain.te b/private/domain.te
index 137d5f2..f4fb407 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -76,7 +76,7 @@
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain mini-keyctl:key search;
+allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
diff --git a/private/file_contexts b/private/file_contexts
index 35796fb..b913e94 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,9 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
+# TODO(/123600489): merge mini-keyctl into toybox
+/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 0000000..c6a5edd
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,25 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow this shell script to run and execute toybox
+allow fsverity_init shell_exec:file rx_file_perms;
+allow fsverity_init toolbox_exec:file rx_file_perms;
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit fsverity_init init:key view;
+dontaudit fsverity_init vold:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
deleted file mode 100644
index 53dbfce..0000000
--- a/private/mini_keyctl.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type mini-keyctl, domain, coredomain;
-type mini-keyctl_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(mini-keyctl)
-
-allow mini-keyctl proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit mini-keyctl init:key view;
-dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write setattr };
-allow mini-keyctl mini-keyctl:key { view search write };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit mini-keyctl kernel:system module_request;