1*e4a36f41SAndroid Build Coastguard Workertype fsverity_init, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype fsverity_init_exec, exec_type, file_type, system_file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(fsverity_init) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Allow to read /proc/keys for searching key id. 7*e4a36f41SAndroid Build Coastguard Workerallow fsverity_init proc_keys:file r_file_perms; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. 10*e4a36f41SAndroid Build Coastguard Workerdontaudit fsverity_init domain:key view; 11*e4a36f41SAndroid Build Coastguard Workerallow fsverity_init kernel:key { view search write setattr }; 12*e4a36f41SAndroid Build Coastguard Workerallow fsverity_init fsverity_init:key { view search write }; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Read the on-device signing certificate, to be able to add it to the keyring 15*e4a36f41SAndroid Build Coastguard Workerallow fsverity_init odsign:fd use; 16*e4a36f41SAndroid Build Coastguard Workerallow fsverity_init odsign_data_file:file { getattr read }; 17