-
Victor Hsieh authored
The original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac
Victor Hsieh authoredThe original fs-verity implementation requires CAP_SYS_ADMIN and thus the actual setup is proxied through installd. Instead, upstream FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus can happen in system_server. Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT. Note that although the number is name, they work differently. Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial Bug: 112037636 Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac
