1*e4a36f41SAndroid Build Coastguard Worker# Run by odsign to verify a CompOS signature 2*e4a36f41SAndroid Build Coastguard Workertype compos_verify, domain, coredomain; 3*e4a36f41SAndroid Build Coastguard Workertype compos_verify_exec, exec_type, file_type, system_file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Start a VM 6*e4a36f41SAndroid Build Coastguard Workerbinder_use(compos_verify); 7*e4a36f41SAndroid Build Coastguard Workervirtualizationservice_use(compos_verify); 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Read instance image & write VM logs 10*e4a36f41SAndroid Build Coastguard Workerallow compos_verify apex_module_data_file:dir search; 11*e4a36f41SAndroid Build Coastguard Workerallow compos_verify apex_compos_data_file:dir rw_dir_perms; 12*e4a36f41SAndroid Build Coastguard Workerallow compos_verify apex_compos_data_file:file { rw_file_perms create }; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Read CompOS info & signature files 15*e4a36f41SAndroid Build Coastguard Workerallow compos_verify apex_art_data_file:dir search; 16*e4a36f41SAndroid Build Coastguard Workerallow compos_verify apex_art_data_file:file r_file_perms; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# Allow odsign to redirect our stdout/stderr to log 19*e4a36f41SAndroid Build Coastguard Workerallow compos_verify odsign:fd use; 20*e4a36f41SAndroid Build Coastguard Workerallow compos_verify odsign_devpts:chr_file { read write }; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Only odsign can enter the domain via exec 23*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -odsign } compos_verify:process transition; 24*e4a36f41SAndroid Build Coastguard Workerneverallow * compos_verify:process dyntransition; 25