1type fsverity_init, domain, coredomain;
2type fsverity_init_exec, exec_type, file_type, system_file_type;
3
4init_daemon_domain(fsverity_init)
5
6# Allow to read /proc/keys for searching key id.
7allow fsverity_init proc_keys:file r_file_perms;
8
9# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
10dontaudit fsverity_init init:key view;
11dontaudit fsverity_init vold:key view;
12allow fsverity_init kernel:key { view search write setattr };
13allow fsverity_init fsverity_init:key { view search write };
14
15# Allow init to write to /proc/sys/fs/verity/require_signatures
16allow fsverity_init proc_fs_verity:file w_file_perms;
17
18# Read the on-device signing certificate, to be able to add it to the keyring
19allow fsverity_init odsign:fd use;
20allow fsverity_init odsign_data_file:file { getattr read };
21
22# When kernel requests an algorithm, the crypto API first looks for an
23# already registered algorithm with that name. If it fails, the kernel creates
24# an implementation of the algorithm from templates.
25dontaudit fsverity_init kernel:system module_request;
26