1*e4a36f41SAndroid Build Coastguard Worker# odsign - on-device signing. 2*e4a36f41SAndroid Build Coastguard Workertype odsign, domain; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# odsign - Binary for signing ART artifacts. 5*e4a36f41SAndroid Build Coastguard Workertypeattribute odsign coredomain; 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Workertype odsign_exec, exec_type, file_type, system_file_type; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Allow init to start odsign 10*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(odsign) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Allow using persistent storage in /data/odsign 13*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_data_file:dir create_dir_perms; 14*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_data_file:file create_file_perms; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Create and use pty created by android_fork_execvp(). 17*e4a36f41SAndroid Build Coastguard Workercreate_pty(odsign) 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files 20*e4a36f41SAndroid Build Coastguard Workerallowxperm odsign apex_art_data_file:file ioctl { 21*e4a36f41SAndroid Build Coastguard Worker FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS 22*e4a36f41SAndroid Build Coastguard Worker}; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# talk to binder services (for keystore) 25*e4a36f41SAndroid Build Coastguard Workerbinder_use(odsign); 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# talk to keystore specifically 28*e4a36f41SAndroid Build Coastguard Workeruse_keystore(odsign); 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# Use our dedicated keystore key 31*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_key:keystore2_key { 32*e4a36f41SAndroid Build Coastguard Worker delete 33*e4a36f41SAndroid Build Coastguard Worker get_info 34*e4a36f41SAndroid Build Coastguard Worker rebind 35*e4a36f41SAndroid Build Coastguard Worker use 36*e4a36f41SAndroid Build Coastguard Worker}; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# talk to keymaster 39*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(odsign, hal_keymaster) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# For ART apex data dir access 42*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_module_data_file:dir { getattr search }; 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_art_data_file:dir { rw_dir_perms rmdir }; 45*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_art_data_file:file { rw_file_perms unlink }; 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Worker# Run odrefresh to refresh ART artifacts 48*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(odsign, odrefresh_exec, odrefresh) 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# Run fsverity_init to add key to fsverity keyring 51*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(odsign, fsverity_init_exec, fsverity_init) 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker# only odsign can set odsign sysprop 54*e4a36f41SAndroid Build Coastguard Workerset_prop(odsign, odsign_prop) 55*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init } odsign_prop:property_service set; 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker# Allow odsign to stop itself 58*e4a36f41SAndroid Build Coastguard Workerset_prop(odsign, ctl_odsign_prop) 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Worker# Neverallows 61*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *; 62*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *; 63