| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | type fsverity_init, domain, coredomain; |
| 2 | type fsverity_init_exec, exec_type, file_type, system_file_type; |
| 3 | |
| 4 | init_daemon_domain(fsverity_init) |
| 5 | |
| 6 | # Allow this shell script to run and execute toybox |
| 7 | allow fsverity_init shell_exec:file rx_file_perms; |
| 8 | allow fsverity_init toolbox_exec:file rx_file_perms; |
| 9 | |
| 10 | # Allow to read /proc/keys for searching key id. |
| 11 | allow fsverity_init proc_keys:file r_file_perms; |
| 12 | |
| 13 | # Kernel only prints the keys that can be accessed and only kernel keyring is needed here. |
| 14 | dontaudit fsverity_init init:key view; |
| 15 | dontaudit fsverity_init vold:key view; |
| 16 | allow fsverity_init kernel:key { view search write setattr }; |
| 17 | allow fsverity_init fsverity_init:key { view search write }; |
| 18 | |
| 19 | # Allow init to write to /proc/sys/fs/verity/require_signatures |
| 20 | allow fsverity_init proc_fs_verity:file w_file_perms; |
| 21 | |
| 22 | # When kernel requests an algorithm, the crypto API first looks for an |
| 23 | # already registered algorithm with that name. If it fails, the kernel creates |
| 24 | # an implementation of the algorithm from templates. |
| 25 | dontaudit fsverity_init kernel:system module_request; |