DO NOT MERGE Fake 29.0 sepolicy prebuilts
I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:
mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec
Bug: 133196056
Test: n/a
Change-Id: I2cbe749777684146114c89e1e6fc3f07400c0ae5
diff --git a/prebuilts/api/29.0/private/fsverity_init.te b/prebuilts/api/29.0/private/fsverity_init.te
new file mode 100644
index 0000000..c6a5edd
--- /dev/null
+++ b/prebuilts/api/29.0/private/fsverity_init.te
@@ -0,0 +1,25 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow this shell script to run and execute toybox
+allow fsverity_init shell_exec:file rx_file_perms;
+allow fsverity_init toolbox_exec:file rx_file_perms;
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit fsverity_init init:key view;
+dontaudit fsverity_init vold:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;