Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a711d375abbbf418dfe45a9cf2a485a8ca0e68d8^! / .
commita711d375abbbf418dfe45a9cf2a485a8ca0e68d8[log] [tgz]
authorXiaoyong Zhou <xzhou@google.com>Fri Mar 08 15:47:22 2019 -0800
committerXiaoyong Zhou <xzhou@google.com>Thu Mar 14 12:44:31 2019 -0700
tree84d1987c86aa65e98f5cf7706b310aa4fedf4b98
parenta907d15ba179376ff87eb39ab3a9101b3dc22d0d [diff]
add label for /proc/sys/fs/verity/require_signatures

This CL add new label for files created by fsverity.

Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ac3ab2a..29efc22 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil

@@ -1377,6 +1377,7 @@
 (typeattributeset priv_app_28_0 (priv_app))
 (typeattributeset proc_28_0
   ( proc
+    proc_fs_verity
     proc_keys
     proc_pressure_cpu
     proc_pressure_io

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 20ec084..def17aa 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -37,6 +37,7 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0

diff --git a/public/file.te b/public/file.te
index 3f6b2b0..883f4a3 100644
--- a/public/file.te
+++ b/public/file.te

@@ -24,6 +24,7 @@
 type proc_diskstats, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;
 type proc_hung_task, fs_type, proc_type;
 type proc_interrupts, fs_type, proc_type;

diff --git a/public/init.te b/public/init.te
index 88e8dba..2b85053 100644
--- a/public/init.te
+++ b/public/init.te

@@ -538,6 +538,9 @@
 # Allow init to write to /proc/sys/vm/overcommit_memory
 allow init proc_overcommit_memory:file { write };
 
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow init proc_fs_verity:file w_file_perms;
+
 # Raw writes to misc block device
 allow init misc_block_device:blk_file w_file_perms;