Allow priv_app to measure fs-verity on tmp apk files
An APK installing with .idsig gets fs-verity enabled during the package install. As a step of package install, a package verifier may inspect the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY. This change gives priv_app the permission (which appdomain already has). Bug: 337307333 Test: no longer seeing the verifier error Change-Id: I49b721f229c30677f633dc1e425022ac54801668
This commit is contained in:
parent
96a0742dce
commit
6543cf9843
1 changed files with 1 additions and 0 deletions
|
@ -96,6 +96,7 @@ allow priv_app perfetto_traces_data_file:file { read getattr };
|
||||||
# Allow verifier to access staged apks.
|
# Allow verifier to access staged apks.
|
||||||
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||||
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||||
|
allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
|
||||||
|
|
||||||
# For AppFuse.
|
# For AppFuse.
|
||||||
allow priv_app vold:fd use;
|
allow priv_app vold:fd use;
|
||||||
|
|
Loading…
Reference in a new issue