From eb749382694834c2f82c2aa91475c78658206971 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 22 Nov 2021 10:22:09 +0100
Subject: [PATCH] Mark fs-verity support for /metadata if first_api_level >= R

fs-verity is required for new devices launched with R.

This allows files stored on /metadata to be protected by fsverity.

Bug: 199914227
Test: mini-keyctl padd asymmetric fsv-sepolicy .fs-verity \
< /system/etc/security/com.android.sepolicy.cert.der
cp /apex/com.android.sepolicy.apex/app/SEPolicy-33/SEPolicy-33.apk \
/metadata/sepolicy/
fsverity enable /metadata/sepolicy/SEPolicy-33.apk \
--signature=/apex/com.android.sepolicy.apex/etc/SEPolicy-33.apk.fsv_sig

Change-Id: I44434e3d026f1dbe6e261c365b3c70d3556a80b1
---
 fs_mgr/fs_mgr_fstab.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp
index 809aa61c0..94277a16f 100644
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@@ -666,9 +666,11 @@ void TransformFstabForDsu(Fstab* fstab, const std::string& dsu_slot,
 }
 
 void EnableMandatoryFlags(Fstab* fstab) {
-    // Devices launched in R and after should enable fs_verity on userdata. The flag causes tune2fs
-    // to enable the feature. A better alternative would be to enable on mkfs at the beginning.
+    // Devices launched in R and after must support fs_verity. Set flag to cause tune2fs
+    // to enable the feature on userdata and metadata partitions.
     if (android::base::GetIntProperty("ro.product.first_api_level", 0) >= 30) {
+        // Devices launched in R and after should enable fs_verity on userdata.
+        // A better alternative would be to enable on mkfs at the beginning.
         std::vector<FstabEntry*> data_entries = GetEntriesForMountPoint(fstab, "/data");
         for (auto&& entry : data_entries) {
             // Besides ext4, f2fs is also supported. But the image is already created with verity
@@ -677,6 +679,12 @@ void EnableMandatoryFlags(Fstab* fstab) {
                 entry->fs_mgr_flags.fs_verity = true;
             }
         }
+        // Devices shipping with S and earlier likely do not already have fs_verity enabled via
+        // mkfs, so enable it here.
+        std::vector<FstabEntry*> metadata_entries = GetEntriesForMountPoint(fstab, "/metadata");
+        for (auto&& entry : metadata_entries) {
+            entry->fs_mgr_flags.fs_verity = true;
+        }
     }
 }