commit 25b4eb217cad6be123525ad583ebce69770c3b85
author Treehugger Robot <treehugger-gerrit@google.com> Fri Oct 12 20:04:22 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Oct 12 20:04:22 2018 +0000
tree df406a50d90afdf64054e16afab5c9372a68c341
parent 0045ecb0c49023f25a16fb3843011d0dfb9063d5
parent 3639f57960811d6a41ca1968dea70a4315d5bbec

Merge "Allow system_server to read vendor_file"

public/installd.te

diff --git a/public/installd.te b/public/installd.te
index 8a76166..f21cef9 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,6 +13,12 @@
 allow installd apk_data_file:file { create_file_perms relabelfrom link };
 allow installd apk_data_file:lnk_file { create r_file_perms unlink };
 
+# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
+# on APKs in /data/app, to support fsverity
+allowxperm installd apk_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+};
+
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file { r_file_perms unlink };
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };

public/ioctl_defines

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 63cf250..cbf4903 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -801,12 +801,14 @@
 define(`FS_IOC32_GETVERSION', `0x80047601')
 define(`FS_IOC32_SETFLAGS', `0x40046602')
 define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')
 define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
 define(`FS_IOC_SETFLAGS', `0x40086602')
 define(`FS_IOC_SETVERSION', `0x40087602')
 define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')