Sepolicy: Add runtime APEX postinstall fsverity permissions Add rights to check and enable fsverity data. Bug: 125474642 Test: m Change-Id: I35ce4d6ac3db5b00d35860033a5751de26acf17c

commit: 67e14adba6a048854ff3247f728ca09e9a4bd9a3 [log] [tgz]
author: Andreas Gampe <agampe@google.com> Thu Feb 28 16:51:12 2019 -0800
committer: Andreas Gampe <agampe@google.com> Thu Feb 28 16:51:12 2019 -0800
tree: 74174186e2aedfe20a4aba7fa9bfc3034eb679c5
parent: 753225ce9cf1ca1592836936702f38ce8d67d0d6 [diff]
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 4c775e8..314fb7c 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te

@@ -21,3 +21,16 @@
 # Script helpers.
 allow art_apex_postinstall shell_exec:file rx_file_perms;
 allow art_apex_postinstall toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_postinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_postinstall ota_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_postinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+  allow art_apex_postinstall su:key search;
+')
commit	67e14adba6a048854ff3247f728ca09e9a4bd9a3	[log] [tgz]
author	Andreas Gampe <agampe@google.com>	Thu Feb 28 16:51:12 2019 -0800
committer	Andreas Gampe <agampe@google.com>	Thu Feb 28 16:51:12 2019 -0800
tree	74174186e2aedfe20a4aba7fa9bfc3034eb679c5
parent	753225ce9cf1ca1592836936702f38ce8d67d0d6 [diff]