Allow system_server to measure fs-verity Bug: 242892591 Test: atest GtsFontHostTestCases Test: Manually verified the font files can be updated Change-Id: Ic72fcca734dc7bd20352d760ec43002707e4c47d

commit: 2b4bcf73e00d49583764245065615f8062ec639e [log] [tgz]
author: Seigo Nonaka <nona@google.com> Tue Nov 01 16:11:16 2022 +0900
committer: Seigo Nonaka <nona@google.com> Tue Nov 01 16:21:20 2022 +0900
tree: 1fa15d3129ec1f9554ee6140e1ad054f8314a34a
parent: b65de6ed0aa0b21e44a32daa4952265534c7dd4a [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index aedebaf..9d1f97f 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1216,8 +1216,8 @@
 # Font files are written by system server
 allow system_server font_data_file:file create_file_perms;
 allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Allow system process to setup and measure fs-verity for font files
+allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
 
 # Read qemu.hw.mainkeys property
 get_prop(system_server, qemu_hw_prop)
commit	2b4bcf73e00d49583764245065615f8062ec639e	[log] [tgz]
author	Seigo Nonaka <nona@google.com>	Tue Nov 01 16:11:16 2022 +0900
committer	Seigo Nonaka <nona@google.com>	Tue Nov 01 16:21:20 2022 +0900
tree	1fa15d3129ec1f9554ee6140e1ad054f8314a34a
parent	b65de6ed0aa0b21e44a32daa4952265534c7dd4a [diff] [blame]