commit 766caba5deef2ee02ac8aa1d406a7dab4735dfe1
author Alan Stokes <alanstokes@google.com> Mon Feb 14 14:33:37 2022 +0000
committer Alan Stokes <alanstokes@google.com> Thu Feb 17 12:14:40 2022 +0000
tree 14cb90526165c08e59bf9e639e0a50f6dd067100
parent 8817edcbb47a8681dd6a3644ea9368f1581ba8a8

Modify sepolicy for compos key changes

Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.

Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.

Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1

private/compos_verify.te

diff --git a/private/compos_verify.te b/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;