Modify sepolicy for compos key changes
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index d9edb67..c9fc32c 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -30,5 +30,10 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh.
+# Allow running odrefresh in its own domain
domain_auto_trans(compos, odrefresh_exec, odrefresh)
+
+# Allow running compos_key_helper in its own domain
+domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
+# And killing it on error
+allow compos compos_key_helper:process sigkill;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
new file mode 100644
index 0000000..56f8d2a
--- /dev/null
+++ b/microdroid/system/private/compos_key_helper.te
@@ -0,0 +1,20 @@
+# Helper process for compos to perform key derivation & signing
+type compos_key_helper, domain, coredomain;
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# This domain has access to DICE secrets & the private signing key.
+# Block crash dumps to ensure the secrets are not leaked.
+typeattribute compos_key_helper no_crash_dump_domain;
+
+# Allow using DICE binder service
+binder_use(compos_key_helper);
+allow compos_key_helper dice_node_service:service_manager find;
+binder_call(compos_key_helper, diced);
+allow compos_key_helper diced:diced { get_attestation_chain derive };
+
+# Communicate with compos via stdin/stdout pipes
+allow compos_key_helper compos:fd use;
+allow compos_key_helper compos:fifo_file { getattr read write };
+
+# Write to /dev/kmsg.
+allow compos_key_helper kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 9530794..2dba244 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te
@@ -1,6 +1,9 @@
type diced, domain, coredomain;
type diced_exec, system_file_type, exec_type, file_type;
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute diced no_crash_dump_domain;
+
# diced can be started by init
init_daemon_domain(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ae97f75..ab655aa 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -263,9 +263,7 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
+domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Properties that microdroid doesn't have but some still want to read.
@@ -605,3 +603,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# These domains must not be crash dumped
+neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
+neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index e3258ae..cdf686b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -373,3 +373,6 @@
# All types run from microdroid_manager as a payload
attribute microdroid_payload;
+
+# Domains that are blocked from producing a crash dump
+attribute no_crash_dump_domain;