From 1035ba1023358e1e5e165875aea4baf11200bd02 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Tue, 14 Jun 2022 16:54:29 +0100
Subject: [PATCH] Allow compos_verify to write VM logs

Previously I've resisted granting write access to these files, since
it allows the instance image to be altered. But that doesn't allow an
attacker to do anything other than render it invalid, since it's
protected by the VM key.

Note that logs are only written when the VM is debuggable, which is
currently only when only non-protected VMs are available.

Bug: 235350758
Test: Force debug on, stage APEX, compile, reboot -> see vm logs
Test: Presubmit
Change-Id: I17c9a17db83d15adfab97b8cfe4ccd67393a08c1
---
 private/compos_verify.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/private/compos_verify.te b/private/compos_verify.te
index 0a281f83b..5b3615eea 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -6,9 +6,10 @@ type compos_verify_exec, exec_type, file_type, system_file_type;
 binder_use(compos_verify);
 virtualizationservice_use(compos_verify);
 
-# Access instance image files
+# Read instance image & write VM logs
 allow compos_verify apex_module_data_file:dir search;
-r_dir_file(compos_verify, apex_compos_data_file)
+allow compos_verify apex_compos_data_file:dir rw_dir_perms;
+allow compos_verify apex_compos_data_file:file { rw_file_perms create };
 
 # Read CompOS info & signature files
 allow compos_verify apex_art_data_file:dir search;