Allow fs-verity setup within system_server
The original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac
This commit is contained in:
parent
b7246ac0b6
commit
7397ebd1e1
@ -789,6 +789,13 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
|
||||
# Allow invoking tools like "timeout"
|
||||
allow system_server toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Allow system process to setup and measure fs-verity
|
||||
allowxperm system_server apk_data_file:file ioctl {
|
||||
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
||||
};
|
||||
# Allow system process to access the keyring.
|
||||
allow system_server kernel:key search;
|
||||
|
||||
# Postinstall
|
||||
#
|
||||
# For OTA dexopt, allow calls coming from postinstall.
|
||||
|
@ -13,10 +13,11 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom };
|
||||
allow installd apk_data_file:file { create_file_perms relabelfrom link };
|
||||
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
|
||||
|
||||
# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
|
||||
# on APKs in /data/app, to support fsverity
|
||||
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
|
||||
# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
|
||||
# TODO(b/120629632): this path is deprecated, remove when possible.
|
||||
allowxperm installd apk_data_file:file ioctl {
|
||||
FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
|
||||
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
||||
};
|
||||
|
||||
allow installd asec_apk_file:file r_file_perms;
|
||||
|
@ -807,8 +807,8 @@ define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
|
||||
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
|
||||
define(`FS_IOC_GETFLAGS', `0x80086601')
|
||||
define(`FS_IOC_GETVERSION', `0x80087601')
|
||||
define(`FS_IOC_MEASURE_VERITY', `0x6686')
|
||||
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
|
||||
define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
|
||||
define(`FS_IOC_SETFLAGS', `0x40086602')
|
||||
define(`FS_IOC_SETVERSION', `0x40087602')
|
||||
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
|
||||
|
Loading…
Reference in New Issue
Block a user