Allow typical app domains to measure fs-verity on data file Bug: 285185747 Test: Call installd from a local client Change-Id: I93a9ffae5d1530dd9ddbc9504784701c7f962445

commit: fefc95666b1028cfaf3da3e9066857691b32d273 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Mon Aug 07 13:51:41 2023 -0700
committer: Victor Hsieh <victorhsieh@google.com> Mon Aug 07 13:59:48 2023 -0700
tree: 2024c631f8ef37c3d8a1abbb663012ba20e2d230
parent: d7d3609af7530d260b4b461b82630535ef533e41 [diff] [blame]
diff --git a/private/app.te b/private/app.te
index 3f8560a..466986c 100644
--- a/private/app.te
+++ b/private/app.te

@@ -259,6 +259,7 @@
 # App sandbox file accesses.
 allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
 allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
+allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY;
 
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
commit	fefc95666b1028cfaf3da3e9066857691b32d273	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Mon Aug 07 13:51:41 2023 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Mon Aug 07 13:59:48 2023 -0700
tree	2024c631f8ef37c3d8a1abbb663012ba20e2d230
parent	d7d3609af7530d260b4b461b82630535ef533e41 [diff] [blame]