From 6446490287fb1c4f091af20a58c219b4d6cd7b12 Mon Sep 17 00:00:00 2001
From: sandrom <sandrom@google.com>
Date: Thu, 10 Feb 2022 15:26:54 +0000
Subject: [PATCH] Allow apexd to enable fsverity on /metadata

Bug: 218672709
Test: manual tests

Change-Id: Idaead3ecd3f3488512908febbdc368e184b7bca9
---
 private/apexd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index 69645a12c..040651d7e 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -16,6 +16,10 @@ allow apexd apex_metadata_file:file create_file_perms;
 # Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
 allow apexd sepolicy_metadata_file:dir create_dir_perms;
 allow apexd sepolicy_metadata_file:file create_file_perms;
+# Allow apexd to setup fs-verity for SEPolicy files in metadata
+allowxperm apexd sepolicy_metadata_file:file ioctl  {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
 
 # Allow reserving space on /data/apex/ota_reserved for apex decompression
 allow apexd apex_ota_reserved_file:dir create_dir_perms;