blob: e55ff17489875ebec784c08549d411727f830e57 [file] [log] [blame]
# Run by odsign to verify a CompOs instance's keys.
type compos_verify_key, domain, coredomain;
type compos_verify_key_exec, exec_type, file_type, system_file_type;
binder_use(compos_verify_key);
virtualizationservice_use(compos_verify_key);
# Access the image & key files, delete on failure, rename pending to current
allow compos_verify_key apex_module_data_file:dir search;
allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
allow compos_verify_key apex_compos_data_file:file create_file_perms;
# Allow odsign to redirect our stdout/stderr to log
allow compos_verify_key odsign:fd use;
allow compos_verify_key odsign_devpts:chr_file { read write };
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify_key:process transition;
neverallow * compos_verify_key:process dyntransition;