Sepolicy: Add runtime APEX preinstall fsverity permissions
Add rights to create and install fsverity data. Bug: 125474642 Test: m Change-Id: I752c40c7b396b2da082cb17641702a2c5c11b9c3
This commit is contained in:
Andreas Gampe
parent
ae127d8340
commit
57346a0566
1 changed files with 13 additions and 0 deletions
|
|
@ -24,3 +24,16 @@ allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
|
|||
|
||||
# Run dex2oat.
|
||||
domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
|
||||
|
||||
# Fsverity in the same domain.
|
||||
allow art_apex_preinstall system_file:file execute_no_trans;
|
||||
# Fsverity work.
|
||||
allowxperm art_apex_preinstall ota_data_file:file ioctl {
|
||||
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
||||
};
|
||||
|
||||
allow art_apex_preinstall kernel:key search;
|
||||
# For testing purposes, allow keys installed with su.
|
||||
userdebug_or_eng(`
|
||||
allow art_apex_preinstall su:key search;
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in a new issue