| # apkdmverity is a program that protects a signed APK file using dm-verity. |
| |
| type apkdmverity, domain, coredomain; |
| type apkdmverity_exec, exec_type, file_type, system_file_type; |
| |
| # apkdmverity is using bootstrap bionic |
| use_bootstrap_libs(apkdmverity) |
| |
| # apkdmverity accesses "payload metadata disk" which points to |
| # a /dev/vd* block device file. |
| allow apkdmverity block_device:dir r_dir_perms; |
| allow apkdmverity block_device:lnk_file r_file_perms; |
| allow apkdmverity vd_device:blk_file r_file_perms; |
| |
| # allow apkdmverity to create dm-verity devices |
| allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms; |
| # sys_admin is required to access the device-mapper and mount |
| allow apkdmverity self:global_capability_class_set sys_admin; |
| |
| # allow apkdmverity to create loop devices with /dev/loop-control |
| allow apkdmverity loop_control_device:chr_file rw_file_perms; |
| |
| # allow apkdmverity to read the roothash passed from microdroid_manager |
| get_prop(apkdmverity, microdroid_manager_roothash_prop) |
| |
| # allow apkdmverity to access loop devices |
| allow apkdmverity loop_device:blk_file rw_file_perms; |
| allowxperm apkdmverity loop_device:blk_file ioctl { |
| LOOP_CONFIGURE |
| }; |
| |
| # allow apkdmverity to log to the kernel |
| allow apkdmverity kmsg_device:chr_file w_file_perms; |
| |
| # allow apkdmverity to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager. |
| allow apkdmverity kmsg_debug_device:chr_file w_file_perms; |
| |
| # apkdmverity is forked from microdroid_manager |
| allow apkdmverity microdroid_manager:fd use; |
| |
| # Only microdroid_manager can run apkdmverity |
| neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition }; |