Allow fs-verity setup within system_server The original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac

commit: 7397ebd1e1084d9a53a751abe77b5788455cbc38 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Fri Jan 04 13:06:20 2019 -0800
committer: Victor Hsieh <victorhsieh@google.com> Fri Jan 11 12:21:59 2019 -0800
tree: ce8268ac8f3af3c596069e22360f4c07255fa349
parent: b7246ac0b624da3cc65586f3a9aa255e6c959262 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index ae6d687..e183606 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -789,6 +789,13 @@
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
 # Postinstall
 #
 # For OTA dexopt, allow calls coming from postinstall.
commit	7397ebd1e1084d9a53a751abe77b5788455cbc38	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Fri Jan 04 13:06:20 2019 -0800
committer	Victor Hsieh <victorhsieh@google.com>	Fri Jan 11 12:21:59 2019 -0800
tree	ce8268ac8f3af3c596069e22360f4c07255fa349
parent	b7246ac0b624da3cc65586f3a9aa255e6c959262 [diff] [blame]