commit 8b65b0b12db79ed492706251eec45497bd75e8e0
author Victor Hsieh <victorhsieh@google.com> Wed Nov 27 10:06:03 2019 -0800
committer Victor Hsieh <victorhsieh@google.com> Tue Dec 03 10:09:35 2019 -0800
tree e19bcd0d6d44a5a06078a883d514098074881ad0
parent d6a91453d87767058633cb768e067162c62e44be

sepolicy: allow rules for apk verify system property

ro.apk_verity.mode was introduced in P on crosshatch. This change
changes the label from default_prop to a new property, apk_verity_prop.

ro.apk_verity.mode is set by vendor_init per build.prop, in order to
honor Treble split.  It is also read by system_server and installd
currently.

Test: verify functioning without denials in dmesg
Bug: 142494008
Bug: 144164497
Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739

private/compat/29.0/29.0.cil

diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index c447715..5eddc4e 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1143,7 +1143,7 @@
 (typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
 (typeattributeset default_android_service_29_0 (default_android_service))
 (typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
-(typeattributeset default_prop_29_0 (default_prop))
+(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
 (typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
 (typeattributeset device_29_0 (device))
 (typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))

private/installd.te

diff --git a/private/installd.te b/private/installd.te
index 28f81a4..c89ba8b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -37,6 +37,9 @@
 get_prop(installd, device_config_runtime_native_prop)
 get_prop(installd, device_config_runtime_native_boot_prop)
 
+# Allow installd to access apk verity feature flag (for legacy case).
+get_prop(installd, apk_verity_prop)
+
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 603ea9c..7ddaf4a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -635,6 +635,9 @@
 # Read the property that mocks an OTA
 get_prop(system_server, mock_ota_prop)
 
+# Read the property as feature flag for protecting apks with fs-verity.
+get_prop(system_server, apk_verity_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;