xref: /aosp_15_r20/system/sepolicy/prebuilts/api/33.0/private/odsign.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker# odsign - on-device signing.
2*e4a36f41SAndroid Build Coastguard Workertype odsign, domain;
3*e4a36f41SAndroid Build Coastguard Worker
4*e4a36f41SAndroid Build Coastguard Worker# odsign - Binary for signing ART artifacts.
5*e4a36f41SAndroid Build Coastguard Workertypeattribute odsign coredomain;
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Workertype odsign_exec, exec_type, file_type, system_file_type;
8*e4a36f41SAndroid Build Coastguard Worker
9*e4a36f41SAndroid Build Coastguard Worker# Allow init to start odsign
10*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(odsign)
11*e4a36f41SAndroid Build Coastguard Worker
12*e4a36f41SAndroid Build Coastguard Worker# Allow using persistent storage in /data/odsign
13*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_data_file:dir create_dir_perms;
14*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_data_file:file create_file_perms;
15*e4a36f41SAndroid Build Coastguard Worker
16*e4a36f41SAndroid Build Coastguard Worker# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
17*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_metrics_file:dir rw_dir_perms;
18*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_metrics_file:file create_file_perms;
19*e4a36f41SAndroid Build Coastguard Worker
20*e4a36f41SAndroid Build Coastguard Worker# Create and use pty created by android_fork_execvp().
21*e4a36f41SAndroid Build Coastguard Workercreate_pty(odsign)
22*e4a36f41SAndroid Build Coastguard Worker
23*e4a36f41SAndroid Build Coastguard Worker# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
24*e4a36f41SAndroid Build Coastguard Workerallowxperm odsign apex_art_data_file:file ioctl {
25*e4a36f41SAndroid Build Coastguard Worker  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
26*e4a36f41SAndroid Build Coastguard Worker};
27*e4a36f41SAndroid Build Coastguard Worker
28*e4a36f41SAndroid Build Coastguard Worker# talk to binder services (for keystore)
29*e4a36f41SAndroid Build Coastguard Workerbinder_use(odsign);
30*e4a36f41SAndroid Build Coastguard Worker
31*e4a36f41SAndroid Build Coastguard Worker# talk to keystore specifically
32*e4a36f41SAndroid Build Coastguard Workeruse_keystore(odsign);
33*e4a36f41SAndroid Build Coastguard Worker
34*e4a36f41SAndroid Build Coastguard Worker# Use our dedicated keystore key
35*e4a36f41SAndroid Build Coastguard Workerallow odsign odsign_key:keystore2_key {
36*e4a36f41SAndroid Build Coastguard Worker    delete
37*e4a36f41SAndroid Build Coastguard Worker    get_info
38*e4a36f41SAndroid Build Coastguard Worker    rebind
39*e4a36f41SAndroid Build Coastguard Worker    use
40*e4a36f41SAndroid Build Coastguard Worker};
41*e4a36f41SAndroid Build Coastguard Worker
42*e4a36f41SAndroid Build Coastguard Worker# talk to keymaster
43*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(odsign, hal_keymaster)
44*e4a36f41SAndroid Build Coastguard Worker
45*e4a36f41SAndroid Build Coastguard Worker# For ART apex data dir access
46*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_module_data_file:dir { getattr search };
47*e4a36f41SAndroid Build Coastguard Worker
48*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
49*e4a36f41SAndroid Build Coastguard Workerallow odsign apex_art_data_file:file { rw_file_perms unlink };
50*e4a36f41SAndroid Build Coastguard Worker
51*e4a36f41SAndroid Build Coastguard Worker# Run odrefresh to refresh ART artifacts
52*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(odsign, odrefresh_exec, odrefresh)
53*e4a36f41SAndroid Build Coastguard Worker
54*e4a36f41SAndroid Build Coastguard Worker# Run fsverity_init to add key to fsverity keyring
55*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
56*e4a36f41SAndroid Build Coastguard Worker
57*e4a36f41SAndroid Build Coastguard Worker# Run compos_verify to verify CompOs signatures
58*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(odsign, compos_verify_exec, compos_verify)
59*e4a36f41SAndroid Build Coastguard Worker
60*e4a36f41SAndroid Build Coastguard Worker# only odsign can set odsign sysprop
61*e4a36f41SAndroid Build Coastguard Workerset_prop(odsign, odsign_prop)
62*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init } odsign_prop:property_service set;
63*e4a36f41SAndroid Build Coastguard Worker
64*e4a36f41SAndroid Build Coastguard Worker# Allow odsign to stop itself
65*e4a36f41SAndroid Build Coastguard Workerset_prop(odsign, ctl_odsign_prop)
66*e4a36f41SAndroid Build Coastguard Worker
67*e4a36f41SAndroid Build Coastguard Worker# Neverallows
68*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
69*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
70