Merge "Enable fsverity signature checking"

author: Treehugger Robot <treehugger-gerrit@google.com> 2019-03-19 16:40:48 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2019-03-19 16:40:48 +0000
commit: aaee497db2b74e55dc1779abb41b294afb954349 (patch)
tree: cf9997c94f215b1d2ea165d8761ed134e79203e7 /rootdir
parent: d5032392924f451c8a37bb65be5b6d3425ee8ef5 (diff)
parent: 66fc7eb195820d9e8e6649495e51b738d41924a5 (diff)
download: system_core-aaee497db2b74e55dc1779abb41b294afb954349.tar.gz
system_core-aaee497db2b74e55dc1779abb41b294afb954349.tar.bz2
system_core-aaee497db2b74e55dc1779abb41b294afb954349.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0e961631b..8e63a819c 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -424,6 +424,8 @@ on post-fs-data
     exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
     # Prevent future key links to fsverity keyring
     exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
+    # Enforce fsverity signature checking
+    write /proc/sys/fs/verity/require_signatures 1
 
     # Make sure that apexd is started in the default namespace
     enter_default_mount_ns
author	Treehugger Robot <treehugger-gerrit@google.com>	2019-03-19 16:40:48 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2019-03-19 16:40:48 +0000
commit	aaee497db2b74e55dc1779abb41b294afb954349 (patch)
tree	cf9997c94f215b1d2ea165d8761ed134e79203e7 /rootdir
parent	d5032392924f451c8a37bb65be5b6d3425ee8ef5 (diff)
parent	66fc7eb195820d9e8e6649495e51b738d41924a5 (diff)
download	system_core-aaee497db2b74e55dc1779abb41b294afb954349.tar.gz system_core-aaee497db2b74e55dc1779abb41b294afb954349.tar.bz2 system_core-aaee497db2b74e55dc1779abb41b294afb954349.zip