From 7397ebd1e1084d9a53a751abe77b5788455cbc38 Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Fri, 4 Jan 2019 13:06:20 -0800 Subject: [PATCH] Allow fs-verity setup within system_server The original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac --- private/system_server.te | 7 +++++++ public/installd.te | 7 ++++--- public/ioctl_defines | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/private/system_server.te b/private/system_server.te index ae6d687ee..e183606d7 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -789,6 +789,13 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh # Allow invoking tools like "timeout" allow system_server toolbox_exec:file rx_file_perms; +# Allow system process to setup and measure fs-verity +allowxperm system_server apk_data_file:file ioctl { + FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY +}; +# Allow system process to access the keyring. +allow system_server kernel:key search; + # Postinstall # # For OTA dexopt, allow calls coming from postinstall. diff --git a/public/installd.te b/public/installd.te index f21cef909..ccf28ec26 100644 --- a/public/installd.te +++ b/public/installd.te @@ -13,10 +13,11 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom }; allow installd apk_data_file:file { create_file_perms relabelfrom link }; allow installd apk_data_file:lnk_file { create r_file_perms unlink }; -# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls -# on APKs in /data/app, to support fsverity +# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd, +# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity. +# TODO(b/120629632): this path is deprecated, remove when possible. allowxperm installd apk_data_file:file ioctl { - FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT + FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; allow installd asec_apk_file:file r_file_perms; diff --git a/public/ioctl_defines b/public/ioctl_defines index ab2f7c554..c5b412b2c 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -807,8 +807,8 @@ define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615') define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614') define(`FS_IOC_GETFLAGS', `0x80086601') define(`FS_IOC_GETVERSION', `0x80087601') +define(`FS_IOC_MEASURE_VERITY', `0x6686') define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613') -define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686') define(`FS_IOC_SETFLAGS', `0x40086602') define(`FS_IOC_SETVERSION', `0x40087602') define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')