IncFS: update SE policies for the new API IncFS in S adds a bunch of new ioctls, and requires the users to read its features in sysfs directory. This change adds all the features, maps them into the processes that need to call into them, and allows any incfs user to query the features Bug: 170231230 Test: incremental unit tests Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35

commit: 80dfa06984d04ddf89d45e3d893371e1c6e63e6a [log] [tgz]
author: Yurii Zubrytskyi <zyy@google.com> Thu Jan 14 21:01:25 2021 -0800
committer: Yurii Zubrytskyi <zyy@google.com> Tue Jan 19 12:57:15 2021 -0800
tree: e8a700d7dc6a3101d4c89f9299b952e9b6e912ea
parent: 706d5feee24f3ffaddf42bc1a91b5f9205711bf5 [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 46362a0..9fd319f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -152,9 +152,16 @@
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# Access the IncFS list of features
+r_dir_file(priv_app, sysfs_fs_incfs_features)
+
 # allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, and fill missing blocks in the apk
-allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# the Incremental File System, fill missing blocks and get the app status
+allowxperm priv_app apk_data_file:file ioctl {
+  INCFS_IOCTL_READ_SIGNATURE
+  INCFS_IOCTL_FILL_BLOCKS
+  INCFS_IOCTL_GET_BLOCK_COUNT
+};
 
 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
 allow priv_app incremental_control_file:file { read getattr ioctl };
commit	80dfa06984d04ddf89d45e3d893371e1c6e63e6a	[log] [tgz]
author	Yurii Zubrytskyi <zyy@google.com>	Thu Jan 14 21:01:25 2021 -0800
committer	Yurii Zubrytskyi <zyy@google.com>	Tue Jan 19 12:57:15 2021 -0800
tree	e8a700d7dc6a3101d4c89f9299b952e9b6e912ea
parent	706d5feee24f3ffaddf42bc1a91b5f9205711bf5 [diff] [blame]