Merge "Allow composd to enable fs-verity to compiled artifacts"
diff --git a/private/composd.te b/private/composd.te
index d007d66..96991c6 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -17,8 +17,9 @@
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
allow composd apex_art_staging_data_file:file { getattr unlink };
-# Delete files in the odrefresh target directory
-allow composd apex_art_data_file:file unlink;
+# Delete files or enable fs-verity in the odrefresh target directory
+allow composd apex_art_data_file:file { open ioctl read unlink write };
+allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY;
# Access our APEX data files
allow composd apex_module_data_file:dir search;
@@ -34,4 +35,4 @@
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
-neverallow composd apex_art_data_file:file ~unlink;
+neverallow composd apex_art_data_file:file create;