Allow system_server to obtain verity root hash for install files. Bug: 160605420 Test: atest ChecksumsTest, check for selinux denials Change-Id: I33b60d86317c37ef58a1be691d6a90dfef637db1

commit: aad4ae8a74d48e1320d8bbba92f0a0571a66c5a2 [log] [tgz]
author: Alex Buynytskyy <alexbuy@google.com> Wed Aug 31 12:07:53 2022 -0700
committer: Alex Buynytskyy <alexbuy@google.com> Fri Sep 02 09:30:21 2022 -0700
tree: cc4f19baaae1cdce639362c2033b511676dcbc87
parent: f08bc50f9df8119353424cca929764250b465bcb [diff]
diff --git a/private/system_server.te b/private/system_server.te
index aa674d0..ab0bfe0 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1076,14 +1076,11 @@
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
-  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
+# Allow system process to setup fs-verity
+allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
 
-allowxperm system_server system_file:file ioctl {
-  FS_IOC_MEASURE_VERITY
-};
+# Allow system process to measure fs-verity for apps, apps being installed and system files
+allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
 
 # Postinstall
 #
commit	aad4ae8a74d48e1320d8bbba92f0a0571a66c5a2	[log] [tgz]
author	Alex Buynytskyy <alexbuy@google.com>	Wed Aug 31 12:07:53 2022 -0700
committer	Alex Buynytskyy <alexbuy@google.com>	Fri Sep 02 09:30:21 2022 -0700
tree	cc4f19baaae1cdce639362c2033b511676dcbc87
parent	f08bc50f9df8119353424cca929764250b465bcb [diff]