Allow system_server to enable fs-verity on staging APK This allows package manager enables fs-verity to an APK if it is installed with .idsig in the classic install session (non-incremental). This is done in ag/24707249 behind a flag. This sepolicy change was missed by mistake. Bug: 277344944 Test: atest android.appsecurity.cts.PkgInstallSignatureVerificationTest Change-Id: If403d84611b69ab076a808addebbd5f0738cdc68

commit: 6b71195fbed5dae5458ec13606aa595373158d99 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Wed Sep 13 12:09:09 2023 -0700
committer: Victor Hsieh <victorhsieh@google.com> Fri Sep 22 10:20:22 2023 -0700
tree: 288dc9aa41968fe83559701b7ddd277513bc7881
parent: b6314bd9cab8b534f7ceeb897e17f87f8bc7ee30 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 1c3fbbb..5594874 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1114,7 +1114,7 @@
 allow system_server toolbox_exec:file rx_file_perms;
 
 # Allow system process to setup fs-verity
-allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
 
 # Allow system process to measure fs-verity for apps, including those being installed
 allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
commit	6b71195fbed5dae5458ec13606aa595373158d99	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Wed Sep 13 12:09:09 2023 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Fri Sep 22 10:20:22 2023 -0700
tree	288dc9aa41968fe83559701b7ddd277513bc7881
parent	b6314bd9cab8b534f7ceeb897e17f87f8bc7ee30 [diff] [blame]