Merge "Remove all SELinux policy related to fsverity_init" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index fc2d7b8..fcaf9f6 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -321,7 +321,6 @@
/system/bin/fsck.f2fs fsck_exec
/system/bin/init init_exec
/system/bin/mini-keyctl toolbox_exec
-/system/bin/fsverity_init fsverity_init_exec
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
diff --git a/private/domain.te b/private/domain.te
index a8ec298..6aaf5de 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -526,11 +526,12 @@
# still contains global information about the system.
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
-# Allow access to fsverity keyring.
+# Needed for loading kernel modules.
+# TODO(384942085): Reduce the scope.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
+
# For testing purposes, allow access to keys installed with su.
+# TODO(277916185): Remove since this shouldn't be needed anymore.
userdebug_or_eng(`
allow domain su:key search;
')
diff --git a/private/file_contexts b/private/file_contexts
index d6f7113..7e7ae7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -256,7 +256,6 @@
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index a3765ec..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
-dontaudit fsverity_init domain:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/odsign.te b/private/odsign.te
index f06795c..4af0708 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -51,9 +51,6 @@
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
# Run compos_verify to verify CompOs signatures
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
@@ -65,5 +62,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
+neverallow { domain -odsign -init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init} odsign_data_file:file *;
