Sepolicy: Add runtime APEX preinstall fsverity permissions Add rights to create and install fsverity data. Bug: 125474642 Test: m Change-Id: I752c40c7b396b2da082cb17641702a2c5c11b9c3

commit: 57346a0566ca10a59f42811b0aee80784f60b514 [log] [tgz]
author: Andreas Gampe <agampe@google.com> Tue Feb 12 14:56:22 2019 -0800
committer: Andreas Gampe <agampe@google.com> Thu Feb 28 05:12:56 2019 -0800
tree: ca762d9fb75d265598a30f3bc35dea93385b0581
parent: ae127d8340291640c7fbad99219560b0ca21ccd9 [diff]
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
index 438340b..99341ec 100644
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te

@@ -24,3 +24,16 @@
 
 # Run dex2oat.
 domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_preinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+  allow art_apex_preinstall su:key search;
+')
commit	57346a0566ca10a59f42811b0aee80784f60b514	[log] [tgz]
author	Andreas Gampe <agampe@google.com>	Tue Feb 12 14:56:22 2019 -0800
committer	Andreas Gampe <agampe@google.com>	Thu Feb 28 05:12:56 2019 -0800
tree	ca762d9fb75d265598a30f3bc35dea93385b0581
parent	ae127d8340291640c7fbad99219560b0ca21ccd9 [diff]