Commit graph

5 commits

Author SHA1 Message Date
Andreas Gampe
15e02450f1 Sepolicy: Fix comment on apexd:fd use
The file descriptors for /dev/zero are no longer open. However,
a descriptor to the shell is still inherited. Update the comment.

Bug: 126787589
Test: m
Test: manual
Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09
2019-03-15 11:26:05 -07:00
Andreas Gampe
59d5d90da8 Sepolicy: Allow everyone to search keyrings
Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.

This set of permissions is analogous to allowances for the fscrypt
keyring and keys.

Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1
2019-03-14 13:21:07 -07:00
Andreas Gampe
7263cb4603 Sepolicy: Give sys_admin for relabel
This requirement slipped through.

Bug: 125474642
Test: m
Test: manual
Change-Id: I8b31bda519632a549574d3057bc49a158e796e2e
2019-03-12 10:49:16 -07:00
Andreas Gampe
67e14adba6 Sepolicy: Add runtime APEX postinstall fsverity permissions
Add rights to check and enable fsverity data.

Bug: 125474642
Test: m
Change-Id: I35ce4d6ac3db5b00d35860033a5751de26acf17c
2019-02-28 16:51:12 -08:00
Andreas Gampe
4c2d06c458 Sepolicy: Add base runtime APEX postinstall policies
Add art_apex_postinstall domain that is allowed to move
precreated AoT artifacts from /data/ota.

Bug: 125474642
Test: m
Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd
2019-02-28 09:24:17 -08:00