Modify sepolicy for compos key changes
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
diff --git a/private/compos.te b/private/compos.te
deleted file mode 100644
index ffbb33e..0000000
--- a/private/compos.te
+++ /dev/null
@@ -1 +0,0 @@
-type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/compos_verify.te b/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
deleted file mode 100644
index e55ff17..0000000
--- a/private/compos_verify_key.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Run by odsign to verify a CompOs instance's keys.
-type compos_verify_key, domain, coredomain;
-
-type compos_verify_key_exec, exec_type, file_type, system_file_type;
-
-binder_use(compos_verify_key);
-virtualizationservice_use(compos_verify_key);
-
-# Access the image & key files, delete on failure, rename pending to current
-allow compos_verify_key apex_module_data_file:dir search;
-allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
-allow compos_verify_key apex_compos_data_file:file create_file_perms;
-
-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify_key odsign:fd use;
-allow compos_verify_key odsign_devpts:chr_file { read write };
-
-# Only odsign can enter the domain via exec
-neverallow { domain -odsign } compos_verify_key:process transition;
-neverallow * compos_verify_key:process dyntransition;
diff --git a/private/file.te b/private/file.te
index 9dd0615..ec3944e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -88,6 +88,11 @@
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
diff --git a/private/odsign.te b/private/odsign.te
index bf097d7..381cf17 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -54,8 +54,8 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-# Run compos_verify_key to verify CompOs instances
-domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+# Run compos_verify to verify CompOs signatures
+domain_auto_trans(odsign, compos_verify_exec, compos_verify)
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)