tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow system server to set dynamic ART properties.

Browse source 
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.

Bug: 274530433
Test: Locally added some code to set those properties and saw it being
  successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
This commit is contained in:
Jiakai Zhang 2023-03-30 15:50:05 +01:00
parent c5da4fc2b9
commit 22fb5c7d24
17 changed files with 53 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
microdroid/system/private/compos.te
View file

@ -11,7 +11,7 @@ dontaudit compos self:dir write;
dontaudit compos self:global_capability_class_set dac_override;
# Allow settings system properties that ART expects.
set_prop(compos, dalvik_config_prop)
set_prop(compos, dalvik_config_prop_type)
set_prop(compos, device_config_runtime_native_boot_prop)
# Allow running odrefresh in its own domain

2
microdroid/system/private/dex2oat.te
View file

@ -31,7 +31,7 @@ allow dex2oat system_file:file lock;
allow dex2oat apex_info_file:file r_file_perms;
# Allow reading dalvik system properties that may affect compilation
get_prop(dex2oat, dalvik_config_prop)
get_prop(dex2oat, dalvik_config_prop_type)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
# Don't audit because we don't configure the compiler through these

2
microdroid/system/private/odrefresh.te
View file

@ -37,7 +37,7 @@ allow odrefresh compos:fd use;
# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
# in the output for later verification check.
get_prop(odrefresh, dalvik_config_prop)
get_prop(odrefresh, dalvik_config_prop_type)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
# Silently ignore the write to properties, e.g. for setting boot animation progress.

1
microdroid/system/private/property.te
View file

@ -2,6 +2,7 @@ system_restricted_prop(boot_status_prop)
# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)

14
microdroid/system/private/property_contexts
View file

@ -152,10 +152,22 @@ ro.vndk.version u:object_r:build_prop:s0 exact string
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
# ART properties for CompOS
# ART properties for CompOS.
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
# A list of ART properties that can be set dynamically.
dalvik.vm.background-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.background-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string

3
microdroid/system/public/attributes
View file

@ -150,3 +150,6 @@ attribute microdroid_payload;
# Domains that are blocked from producing a crash dump
attribute no_crash_dump_domain;
# All types of ART properties.
attribute dalvik_config_prop_type;

2
private/app.te
View file

@ -34,7 +34,7 @@ userdebug_or_eng(`
get_prop(appdomain, test_harness_prop)
get_prop(appdomain, boot_status_prop)
get_prop(appdomain, dalvik_config_prop)
get_prop(appdomain, dalvik_config_prop_type)
get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
get_prop(appdomain, radio_control_prop)

5
private/compat/33.0/33.0.cil
View file

@ -1545,7 +1545,10 @@
(typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
(typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
(typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
(typeattributeset dalvik_config_prop_33_0
( dalvik_config_prop
dalvik_dynamic_config_prop
))
(typeattributeset dalvik_prop_33_0 (dalvik_prop))
(typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
(typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))

2
private/composd.te
View file

@ -35,7 +35,7 @@ get_prop(composd, composd_vm_art_prop)
get_prop(composd, composd_vm_vendor_prop)
# Read ART's properties
get_prop(composd, dalvik_config_prop)
get_prop(composd, dalvik_config_prop_type)
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly

2
private/coredomain.te
View file

@ -1,7 +1,7 @@
get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop)
get_prop(coredomain, dalvik_config_prop_type)
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)

2
private/property.te
View file

@ -275,7 +275,7 @@ compatible_property_only(`
-vendor_init
} {
core_property_type
dalvik_config_prop
dalvik_config_prop_type
extended_core_property_type
exported3_system_prop
systemsound_config_prop

24
private/property_contexts
View file

@ -407,31 +407,27 @@ ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
# ART properties
# ART properties.
dalvik.vm. u:object_r:dalvik_config_prop:s0
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
ro.zygote u:object_r:dalvik_config_prop:s0 exact string
# A set of ART properties listed explicitly for compatibility purposes.
ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
@ -450,10 +446,8 @@ dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 e
dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
@ -483,11 +477,21 @@ dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 e
dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
# A list of ART properties that can be set dynamically.
dalvik.vm.background-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.background-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool

2
private/sdk_sandbox.te
View file

@ -42,7 +42,7 @@ auditallow sdk_sandbox {
-codec2_config_prop
-config_prop
-cppreopt_prop
-dalvik_config_prop
-dalvik_config_prop_type
-dalvik_prop
-dalvik_runtime_prop
-dck_prop

3
private/system_server.te
View file

@ -1527,3 +1527,6 @@ neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
# Allow system server to set dynamic ART properties.
set_prop(system_server, dalvik_dynamic_config_prop)

3
public/attributes
View file

@ -430,3 +430,6 @@ attribute apex_data_file_type;
# permissions to maintain the health loop, writing to kernel log, handling
# inputs and drawing screens, etc.
attribute charger_type;
# All types of ART properties.
attribute dalvik_config_prop_type;

3
public/property.te
View file

@ -207,6 +207,7 @@ system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
system_public_prop(device_config_memory_safety_native_boot_prop)
@ -367,3 +368,5 @@ typeattribute system_prop core_property_type;
typeattribute usb_prop core_property_type;
typeattribute vold_prop core_property_type;
typeattribute dalvik_config_prop dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;

1
public/vendor_init.te
View file

@ -235,6 +235,7 @@ set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_bluetooth_prop)