From 6543cf9843dad4e5629adc99814c51a87e03a690 Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Fri, 26 Apr 2024 13:04:00 -0700 Subject: [PATCH] Allow priv_app to measure fs-verity on tmp apk files An APK installing with .idsig gets fs-verity enabled during the package install. As a step of package install, a package verifier may inspect the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY. This change gives priv_app the permission (which appdomain already has). Bug: 337307333 Test: no longer seeing the verifier error Change-Id: I49b721f229c30677f633dc1e425022ac54801668 --- private/priv_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/private/priv_app.te b/private/priv_app.te index 5c3f351b2..bb5da7c1e 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -96,6 +96,7 @@ allow priv_app perfetto_traces_data_file:file { read getattr }; # Allow verifier to access staged apks. allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; +allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY; # For AppFuse. allow priv_app vold:fd use;