From 0e15f2d9c567df45c28d6b1e856c4c31c749974e Mon Sep 17 00:00:00 2001
From: Nate Myren <ntmyren@google.com>
Date: Tue, 15 Aug 2023 16:41:17 -0700
Subject: [PATCH] Add appcompat override files and contexts to SELinux

This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434
---
 contexts/plat_file_contexts_test        | 2 ++
 microdroid/system/private/file_contexts | 2 ++
 microdroid/system/private/init.te       | 4 ++--
 private/app_zygote.te                   | 2 ++
 private/file_contexts                   | 2 ++
 private/webview_zygote.te               | 2 ++
 private/zygote.te                       | 2 ++
 public/init.te                          | 2 +-
 8 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 287f754a4..50d9de480 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -280,6 +280,8 @@
 /dev/zero                                                         zero_device
 /dev/__properties__                                               properties_device
 /dev/__properties__/property_info                                 property_info
+/dev/__properties__/appcompat_override                            properties_device
+/dev/__properties__/appcompat_override/property_info              property_info
 
 /linkerconfig                                                     linkerconfig_file
 /linkerconfig/test                                                linkerconfig_file
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237ab..046f20f83 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -72,7 +72,9 @@
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 2dbf4956c..57452a02d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -32,11 +32,11 @@ allow init {
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/socket
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd79..46cea8e26 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -34,6 +34,8 @@ allow app_zygote system_server:process getpgid;
 # Interaction between the app_zygote and its children.
 allow app_zygote isolated_app:process setpgid;
 
+allow app_zygote properties_device:dir mounton;
+
 # TODO (b/63631799) fix this access
 dontaudit app_zygote mnt_expand_file:dir getattr;
 
diff --git a/private/file_contexts b/private/file_contexts
index 2d9b30d9d..2481c07d2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -200,7 +200,9 @@
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 055695007..7b05af2cd 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,8 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
 
 allow webview_zygote system_data_file:lnk_file r_file_perms;
 
+allow webview_zygote properties_device:dir mounton;
+
 # Send unsolicited message to system_server
 unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 
diff --git a/private/zygote.te b/private/zygote.te
index 788dafed3..4815eccd0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -76,6 +76,8 @@ allow zygote {
     user_profile_data_file
     # /storage/emulated/$userId/Android/{data,obb}
     media_rw_data_file
+    # /dev/__properties__
+    properties_device
 }:dir { mounton search };
 
 # Traverse /data_mirror to get to the above directories while their normal paths
diff --git a/public/init.te b/public/init.te
index e552ec2c6..29dd42d43 100644
--- a/public/init.te
+++ b/public/init.te
@@ -26,7 +26,7 @@ userdebug_or_eng(`
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/event-log-tags