Allow fs-verity setup within system_server (7397ebd1) · Commits · CodeLinaro / public-release-test / platform / system / sepolicy

Commit 7397ebd1 authored 6 years ago by Victor Hsieh

Allow fs-verity setup within system_server

The original fs-verity implementation requires CAP_SYS_ADMIN and thus
the actual setup is proxied through installd.  Instead, upstream
FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus
can happen in system_server.

Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT.
Note that although the number is name, they work differently.

Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial
Bug: 112037636
Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac

parent b7246ac0

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 12 additions and 4 deletions

Please register or to comment