tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Disallow system_server fs-verity operations to system_file

Browse source 
The original change was not a correct solution and was only intended to
silence an error. After the correct fix (aosp/2559927), we can remove
the rule (which is only allow the operation to happen and fail anyway).

Test: m
Bug: None
Change-Id: Ia41fac38e89653578adab3b10def7b1b0d0a3e61
This commit is contained in:
Victor Hsieh 2023-04-27 08:34:00 -07:00
parent 7890b191d9
commit e8ff14a211
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/system_server.te
View file

@ -1106,8 +1106,8 @@ allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
# Allow system process to measure fs-verity for apps, apps being installed and system files
allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Allow system process to measure fs-verity for apps, including those being installed
allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
# Postinstall