Allow priv_app to measure fs-verity on tmp apk files

An APK installing with .idsig gets fs-verity enabled during the package
install. As a step of package install, a package verifier may inspect
the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY.
This change gives priv_app the permission (which appdomain already has).

Bug: 337307333
Test: no longer seeing the verifier error
Change-Id: I49b721f229c30677f633dc1e425022ac54801668
This commit is contained in:
Victor Hsieh 2024-04-26 13:04:00 -07:00
parent 96a0742dce
commit 6543cf9843

View file

@ -96,6 +96,7 @@ allow priv_app perfetto_traces_data_file:file { read getattr };
# Allow verifier to access staged apks. # Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
# For AppFuse. # For AppFuse.
allow priv_app vold:fd use; allow priv_app vold:fd use;