Allow priv_app to measure fs-verity on tmp apk files

An APK installing with .idsig gets fs-verity enabled during the package install. As a step of package install, a package verifier may inspect the APK. A v4 signature check requires calling FS_IOC_MEASURE_VERITY. This change gives priv_app the permission (which appdomain already has). Bug: 337307333 Test: no longer seeing the verifier error Change-Id: I49b721f229c30677f633dc1e425022ac54801668
2024-04-26 13:04:00 -07:00 · 2024-04-26 13:04:00 -07:00 · 6543cf9843
commit 6543cf9843
parent 96a0742dce
1 changed files with 1 additions and 0 deletions
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -96,6 +96,7 @@ allow priv_app perfetto_traces_data_file:file { read getattr };
 # Allow verifier to access staged apks.
 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;

 # For AppFuse.
 allow priv_app vold:fd use;