Allow fs-verity setup within system_server

The original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac
2019-01-04 13:06:20 -08:00 · 2019-01-04 13:06:20 -08:00 · 7397ebd1e1
commit 7397ebd1e1
parent b7246ac0b6
3 changed files with 12 additions and 4 deletions
--- a/private/system_server.te
+++ b/private/system_server.te
@ -789,6 +789,13 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;

+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
 # Postinstall
 #
 # For OTA dexopt, allow calls coming from postinstall.
--- a/public/installd.te
+++ b/public/installd.te
@ -13,10 +13,11 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom };
 allow installd apk_data_file:file { create_file_perms relabelfrom link };
 allow installd apk_data_file:lnk_file { create r_file_perms unlink };

-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
 allowxperm installd apk_data_file:file ioctl {
-  FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };

 allow installd asec_apk_file:file r_file_perms;
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@ -807,8 +807,8 @@ define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
 define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
 define(`FS_IOC_SETFLAGS', `0x40086602')
 define(`FS_IOC_SETVERSION', `0x40087602')
 define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')