Allow system_server to verify installed apps This commit allows system_server to call FS_IOC_SETFLAGS ioctl Bug: 259756715 Fixes: 272527416 Test: Flash and pair watch, verify denial logs after apps are updated. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8d15734fb52ce08461fd4259ddfd22e889cf9061) Merged-In: I7a99d3bb7deb3683b342795cb1bbef7abbbcbe38 Change-Id: I7a99d3bb7deb3683b342795cb1bbef7abbbcbe38

commit: 588d537f0bcddfd31c3598b8bca4fee308c0c416 [log] [tgz]
author: Eric Rahm <erahm@google.com> Wed Apr 19 16:51:10 2023 -0700
committer: Eric Rahm <erahm@google.com> Thu Apr 20 03:05:01 2023 +0000
tree: 00b456abe54dac4411b949cdf348609ba661d04d
parent: af6035c64f8f0700e1aa086412be870d7e13ed25 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 0306598..aab36d9 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1107,6 +1107,7 @@
 
 # Allow system process to measure fs-verity for apps, apps being installed and system files
 allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
+allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
 allow system_server system_file:file ioctl;
 
 # Postinstall
commit	588d537f0bcddfd31c3598b8bca4fee308c0c416	[log] [tgz]
author	Eric Rahm <erahm@google.com>	Wed Apr 19 16:51:10 2023 -0700
committer	Eric Rahm <erahm@google.com>	Thu Apr 20 03:05:01 2023 +0000
tree	00b456abe54dac4411b949cdf348609ba661d04d
parent	af6035c64f8f0700e1aa086412be870d7e13ed25 [diff] [blame]