| Yunkai Lim | 486fa9f | 2023-07-26 06:21:30 +0000 | [diff] [blame^] | 1 | type fsverity_init, domain, coredomain; |
| 2 | type fsverity_init_exec, exec_type, file_type, system_file_type; |
| 3 | |
| 4 | init_daemon_domain(fsverity_init) |
| 5 | |
| 6 | # Allow to read /proc/keys for searching key id. |
| 7 | allow fsverity_init proc_keys:file r_file_perms; |
| 8 | |
| 9 | # Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. |
| 10 | dontaudit fsverity_init domain:key view; |
| 11 | allow fsverity_init kernel:key { view search write setattr }; |
| 12 | allow fsverity_init fsverity_init:key { view search write }; |
| 13 | |
| 14 | # Read the on-device signing certificate, to be able to add it to the keyring |
| 15 | allow fsverity_init odsign:fd use; |
| 16 | allow fsverity_init odsign_data_file:file { getattr read }; |
| 17 | |
| 18 | # When kernel requests an algorithm, the crypto API first looks for an |
| 19 | # already registered algorithm with that name. If it fails, the kernel creates |
| 20 | # an implementation of the algorithm from templates. |
| 21 | dontaudit fsverity_init kernel:system module_request; |