Mark fs-verity support for /metadata if first_api_level >= R
fs-verity is required for new devices launched with R.
This allows files stored on /metadata to be protected by fsverity.
Bug: 199914227
Test: mini-keyctl padd asymmetric fsv-sepolicy .fs-verity \
< /system/etc/security/com.android.sepolicy.cert.der
cp /apex/com.android.sepolicy.apex/app/SEPolicy-33/SEPolicy-33.apk \
/metadata/sepolicy/
fsverity enable /metadata/sepolicy/SEPolicy-33.apk \
--signature=/apex/com.android.sepolicy.apex/etc/SEPolicy-33.apk.fsv_sig
Change-Id: I44434e3d026f1dbe6e261c365b3c70d3556a80b1
diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp
index 809aa61..94277a1 100644
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@@ -666,9 +666,11 @@
}
void EnableMandatoryFlags(Fstab* fstab) {
- // Devices launched in R and after should enable fs_verity on userdata. The flag causes tune2fs
- // to enable the feature. A better alternative would be to enable on mkfs at the beginning.
+ // Devices launched in R and after must support fs_verity. Set flag to cause tune2fs
+ // to enable the feature on userdata and metadata partitions.
if (android::base::GetIntProperty("ro.product.first_api_level", 0) >= 30) {
+ // Devices launched in R and after should enable fs_verity on userdata.
+ // A better alternative would be to enable on mkfs at the beginning.
std::vector<FstabEntry*> data_entries = GetEntriesForMountPoint(fstab, "/data");
for (auto&& entry : data_entries) {
// Besides ext4, f2fs is also supported. But the image is already created with verity
@@ -677,6 +679,12 @@
entry->fs_mgr_flags.fs_verity = true;
}
}
+ // Devices shipping with S and earlier likely do not already have fs_verity enabled via
+ // mkfs, so enable it here.
+ std::vector<FstabEntry*> metadata_entries = GetEntriesForMountPoint(fstab, "/metadata");
+ for (auto&& entry : metadata_entries) {
+ entry->fs_mgr_flags.fs_verity = true;
+ }
}
}