SELinux policy for on-device signing binary.
Bug: 165630556
Test: no denials on boot
Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2a960e5..edc9aac 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -60,6 +60,9 @@
nfc_logs_data_file
odrefresh
odrefresh_exec
+ odsign
+ odsign_data_file
+ odsign_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop
diff --git a/private/dex2oat.te b/private/dex2oat.te
index b71ede7..909f94c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -38,6 +38,10 @@
# Allow dex2oat to use file descriptors passed from odrefresh.
allow dex2oat odrefresh:fd use;
+# Allow dex2oat to use devpts and file descriptors passed from odsign
+allow dex2oat odsign_devpts:chr_file { read write };
+allow dex2oat odsign:fd use;
+
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 0908661..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -281,6 +281,7 @@
domain
# art processes
-odrefresh
+ -odsign
# others
-apexd
-init
@@ -291,6 +292,7 @@
domain
# art processes
-odrefresh
+ -odsign
# others
-apexd
-init
diff --git a/private/file.te b/private/file.te
index 87443ef..fd50649 100644
--- a/private/file.te
+++ b/private/file.te
@@ -44,3 +44,6 @@
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign
+type odsign_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 1e16169..8399cc8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -363,6 +363,7 @@
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
+/system/bin/odsign u:object_r:odsign_exec:s0
#############################
# Vendor files
@@ -588,6 +589,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 4bb3d0f..42d142f 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -15,6 +15,10 @@
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
diff --git a/private/odrefresh.te b/private/odrefresh.te
index c1ccc38..097098b 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -18,6 +18,10 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
diff --git a/private/odsign.te b/private/odsign.te
new file mode 100644
index 0000000..b7fd1f4
--- /dev/null
+++ b/private/odsign.te
@@ -0,0 +1,41 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;