sepolicy: allow rules for apk verify system property ro.apk_verity.mode was introduced in P on crosshatch. This change changes the label from default_prop to a new property, apk_verity_prop. ro.apk_verity.mode is set by vendor_init per build.prop, in order to honor Treble split. It is also read by system_server and installd currently. Test: verify functioning without denials in dmesg Bug: 142494008 Bug: 144164497 Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739

commit: 8b65b0b12db79ed492706251eec45497bd75e8e0 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Wed Nov 27 10:06:03 2019 -0800
committer: Victor Hsieh <victorhsieh@google.com> Tue Dec 03 10:09:35 2019 -0800
tree: e19bcd0d6d44a5a06078a883d514098074881ad0
parent: d6a91453d87767058633cb768e067162c62e44be [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 603ea9c..7ddaf4a 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -635,6 +635,9 @@
 # Read the property that mocks an OTA
 get_prop(system_server, mock_ota_prop)
 
+# Read the property as feature flag for protecting apks with fs-verity.
+get_prop(system_server, apk_verity_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
commit	8b65b0b12db79ed492706251eec45497bd75e8e0	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Wed Nov 27 10:06:03 2019 -0800
committer	Victor Hsieh <victorhsieh@google.com>	Tue Dec 03 10:09:35 2019 -0800
tree	e19bcd0d6d44a5a06078a883d514098074881ad0
parent	d6a91453d87767058633cb768e067162c62e44be [diff] [blame]