xref: /aosp_15_r20/system/sepolicy/private/odsign.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# odsign - on-device signing.
2type odsign, domain;
3
4# odsign - Binary for signing ART artifacts.
5typeattribute odsign coredomain;
6
7type odsign_exec, exec_type, file_type, system_file_type;
8
9# Allow init to start odsign
10init_daemon_domain(odsign)
11
12# Allow using persistent storage in /data/odsign
13allow odsign odsign_data_file:dir create_dir_perms;
14allow odsign odsign_data_file:file create_file_perms;
15
16# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
17allow odsign odsign_metrics_file:dir rw_dir_perms;
18allow odsign odsign_metrics_file:file create_file_perms;
19
20# Create and use pty created by android_fork_execvp().
21create_pty(odsign)
22
23# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
24allowxperm odsign apex_art_data_file:file ioctl {
25  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
26};
27
28# talk to binder services (for keystore)
29binder_use(odsign);
30
31# talk to keystore specifically
32use_keystore(odsign);
33
34# Use our dedicated keystore key
35allow odsign odsign_key:keystore2_key {
36    delete
37    get_info
38    rebind
39    use
40};
41
42# talk to keymaster
43hal_client_domain(odsign, hal_keymaster)
44
45# For ART apex data dir access
46allow odsign apex_module_data_file:dir { getattr search };
47
48allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
49allow odsign apex_art_data_file:file { rw_file_perms unlink };
50
51# Run odrefresh to refresh ART artifacts
52domain_auto_trans(odsign, odrefresh_exec, odrefresh)
53
54# Run fsverity_init to add key to fsverity keyring
55domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
56
57# Run compos_verify to verify CompOs signatures
58domain_auto_trans(odsign, compos_verify_exec, compos_verify)
59
60# only odsign can set odsign sysprop
61set_prop(odsign, odsign_prop)
62neverallow { domain -odsign -init } odsign_prop:property_service set;
63
64# Allow odsign to stop itself
65set_prop(odsign, ctl_odsign_prop)
66
67# Neverallows
68neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
69neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
70