Add odsign status properties.
These properties are used to communicate odsign status, and allow init
to evict keys and start zygote at the correct moments in time.
Bug: 165630556
Test: no denials from init/odsign
Change-Id: I813e5c1c93d6f00a251a9cce02d0b74e5372c1ce
diff --git a/private/odsign.te b/private/odsign.te
index b35a3ca..0ff3b7b 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -50,6 +50,10 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+# only odsign can set odsign sysprop
+set_prop(odsign, odsign_prop)
+neverallow { domain -odsign -init } odsign_prop:property_service set;
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index e435628..8ab02f0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -22,6 +22,7 @@
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(odsign_prop)
system_internal_prop(pm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 98ac9bf..44fa2e2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -544,6 +544,10 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+odsign.key.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.success u:object_r:odsign_prop:s0 exact bool
+
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
sys.boot_completed u:object_r:boot_status_prop:s0 exact bool