commit 766caba5deef2ee02ac8aa1d406a7dab4735dfe1
author Alan Stokes <alanstokes@google.com> Mon Feb 14 14:33:37 2022 +0000
committer Alan Stokes <alanstokes@google.com> Thu Feb 17 12:14:40 2022 +0000
tree 14cb90526165c08e59bf9e639e0a50f6dd067100
parent 8817edcbb47a8681dd6a3644ea9368f1581ba8a8

Modify sepolicy for compos key changes

Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.

Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.

Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1

private/file.te

diff --git a/private/file.te b/private/file.te
index 9dd0615..ec3944e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -88,6 +88,11 @@
 # /apex/com.android.virt/bin/fd_server
 type fd_server_exec, system_file_type, exec_type, file_type;
 
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
 # /metadata/sepolicy
 type sepolicy_metadata_file, file_type;