1# Run by odsign to verify a CompOS signature 2type compos_verify, domain, coredomain; 3type compos_verify_exec, exec_type, file_type, system_file_type; 4 5# Start a VM 6binder_use(compos_verify); 7virtualizationservice_use(compos_verify); 8 9# Read instance image & write VM logs 10allow compos_verify apex_module_data_file:dir search; 11allow compos_verify apex_compos_data_file:dir rw_dir_perms; 12allow compos_verify apex_compos_data_file:file { rw_file_perms create }; 13 14# Read CompOS info & signature files 15allow compos_verify apex_art_data_file:dir search; 16allow compos_verify apex_art_data_file:file r_file_perms; 17 18# Allow odsign to redirect our stdout/stderr to log 19allow compos_verify odsign:fd use; 20allow compos_verify odsign_devpts:chr_file { read write }; 21 22# Only odsign can enter the domain via exec 23neverallow { domain -odsign } compos_verify:process transition; 24neverallow * compos_verify:process dyntransition; 25