diff --git a/public/installd.te b/public/installd.te
index 8a761663e..f21cef909 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,6 +13,12 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom };
 allow installd apk_data_file:file { create_file_perms relabelfrom link };
 allow installd apk_data_file:lnk_file { create r_file_perms unlink };
 
+# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
+# on APKs in /data/app, to support fsverity
+allowxperm installd apk_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+};
+
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file { r_file_perms unlink };
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 63cf2501a..cbf490322 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -801,12 +801,14 @@ define(`FS_IOC32_GETFLAGS', `0x80046601')
 define(`FS_IOC32_GETVERSION', `0x80047601')
 define(`FS_IOC32_SETFLAGS', `0x40046602')
 define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')
 define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
 define(`FS_IOC_SETFLAGS', `0x40086602')
 define(`FS_IOC_SETVERSION', `0x40087602')
 define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')