Sepolicy: Allow everyone to search keyrings
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.
This set of permissions is analogous to allowances for the fscrypt
keyring and keys.
Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
index 2ac9140..ba02083 100644
--- a/private/art_apex_boot_integrity.te
+++ b/private/art_apex_boot_integrity.te
@@ -26,9 +26,3 @@
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_boot_integrity kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_boot_integrity su:key search;
-')
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 40b09d2..575e0bf 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@@ -29,9 +29,3 @@
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_postinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_postinstall su:key search;
-')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
index 99341ec..e6a8475 100644
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te
@@ -31,9 +31,3 @@
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_preinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_preinstall su:key search;
-')
diff --git a/private/domain.te b/private/domain.te
index d6b233f..537e61b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,15 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain mini-keyctl:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/system_server.te b/private/system_server.te
index e5e8a03..ab4a07c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -809,11 +809,6 @@
allowxperm system_server apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-# Allow system process to access the keyring.
-allow system_server kernel:key search;
-userdebug_or_eng(`
- allow system_server su:key search;
-')
# Postinstall
#