PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

installd: add fsverity ioctls

Browse Source 
installd calls fsverity ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_SET_VERITY_MEASUREMENT on APKs in /data/app. Allow it.

Addresses the following denials:

  type=1400 audit(0.0:13): avc: denied { ioctl } for comm="Binder:912_1"
  path="/data/app/com.android.vending-QZXfga9NZzHdv31lJzPTdQ==/base.apk"
  dev="dm-3" ino=43887 ioctlcmd=0x6686 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:40): avc: denied { ioctl } for comm="Binder:876_1"
  path="/data/app/com.android.settings-0xUwDcuYseP40L3WMUTGIw==/base.apk"
  dev="dm-0" ino=6855 ioctlcmd=0x6685 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Bug: 30972906
Change-Id: Ifc88ae6909971c2f2bb24479f5e748fc7900447d
This commit is contained in:
Nick Kralevich 2018-10-12 08:24:04 -07:00
parent 9977e25411
commit 0045ecb0c4
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
public/installd.te
View File

@ -13,6 +13,12 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
# on APKs in /data/app, to support fsverity
allowxperm installd apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
};
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };

2
public/ioctl_defines
View File

@ -801,12 +801,14 @@ define(`FS_IOC32_GETFLAGS', `0x80046601')
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`FS_IOC32_SETFLAGS', `0x40046602')
define(`FS_IOC32_SETVERSION', `0x40047602')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')