1# odsign - on-device signing.
2type odsign, domain;
3
4# odsign - Binary for signing ART artifacts.
5typeattribute odsign coredomain;
6
7type odsign_exec, exec_type, file_type, system_file_type;
8
9# Allow init to start odsign
10init_daemon_domain(odsign)
11
12# Allow using persistent storage in /data/odsign
13allow odsign odsign_data_file:dir create_dir_perms;
14allow odsign odsign_data_file:file create_file_perms;
15
16# Create and use pty created by android_fork_execvp().
17create_pty(odsign)
18
19# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
20allowxperm odsign apex_art_data_file:file ioctl {
21  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
22};
23
24# talk to binder services (for keystore)
25binder_use(odsign);
26
27# talk to keystore specifically
28use_keystore(odsign);
29
30# Use our dedicated keystore key
31allow odsign odsign_key:keystore2_key {
32    delete
33    get_info
34    rebind
35    use
36};
37
38# talk to keymaster
39hal_client_domain(odsign, hal_keymaster)
40
41# For ART apex data dir access
42allow odsign apex_module_data_file:dir { getattr search };
43
44allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
45allow odsign apex_art_data_file:file { rw_file_perms unlink };
46
47# Run odrefresh to refresh ART artifacts
48domain_auto_trans(odsign, odrefresh_exec, odrefresh)
49
50# Run fsverity_init to add key to fsverity keyring
51domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
52
53# only odsign can set odsign sysprop
54set_prop(odsign, odsign_prop)
55neverallow { domain -odsign -init } odsign_prop:property_service set;
56
57# Allow odsign to stop itself
58set_prop(odsign, ctl_odsign_prop)
59
60# Neverallows
61neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
62neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
63