Allow apexd to enable fsverity on /metadata Bug: 218672709 Test: manual tests Change-Id: Idaead3ecd3f3488512908febbdc368e184b7bca9

commit: 6446490287fb1c4f091af20a58c219b4d6cd7b12 [log] [tgz]
author: sandrom <sandrom@google.com> Thu Feb 10 15:26:54 2022 +0000
committer: sandrom <sandrom@google.com> Tue Mar 01 16:33:55 2022 +0000
tree: fbb612040a31982ee0872b8b61b65ba04fc33d3b
parent: 8ce2e156d0acd8763978bdcdf9aa51390c9fd20a [diff]
diff --git a/private/apexd.te b/private/apexd.te
index 69645a1..040651d 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -16,6 +16,10 @@
 # Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
 allow apexd sepolicy_metadata_file:dir create_dir_perms;
 allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl  {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
 
 # Allow reserving space on /data/apex/ota_reserved for apex decompression
 allow apexd apex_ota_reserved_file:dir create_dir_perms;
commit	6446490287fb1c4f091af20a58c219b4d6cd7b12	[log] [tgz]
author	sandrom <sandrom@google.com>	Thu Feb 10 15:26:54 2022 +0000
committer	sandrom <sandrom@google.com>	Tue Mar 01 16:33:55 2022 +0000
tree	fbb612040a31982ee0872b8b61b65ba04fc33d3b
parent	8ce2e156d0acd8763978bdcdf9aa51390c9fd20a [diff]