Allow composd to pass some system properties to CompOS

Bug: 231579544 Test: see allowlisted system properties in the VM Change-Id: Idb263087639e4677e437ac2fcd2726ee71547f48
2022-05-10 16:14:30 -07:00 · 2022-05-10 16:14:30 -07:00 · 3423bc4bcb
commit 3423bc4bcb
parent ce2b6da673
4 changed files with 10 additions and 2 deletions
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@ -25,6 +25,10 @@ dontaudit compos self:dir write;
 # See b/35323867#comment3
 dontaudit compos self:global_capability_class_set dac_override;

+# Allow settings system properties that ART expects.
+set_prop(compos, dalvik_config_prop)
+set_prop(compos, device_config_runtime_native_boot_prop)
+
 # Allow running odrefresh in its own domain
 domain_auto_trans(compos, odrefresh_exec, odrefresh)

--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@ -3,6 +3,7 @@ system_restricted_prop(boot_status_prop)
 # Declare ART properties for CompOS
 system_public_prop(dalvik_config_prop)
 system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)

 # Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
 # in the audit log
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@ -154,7 +154,9 @@ ro.vndk.version  u:object_r:build_prop:s0 exact string
 heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool

 # ART properties for CompOS
-dalvik.vm.                            u:object_r:dalvik_config_prop:s0 prefix
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+dalvik.vm.                                  u:object_r:dalvik_config_prop:s0 prefix
+ro.dalvik.vm.                               u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native.       u:object_r:device_config_runtime_native_prop:s0 prefix
+persist.device_config.runtime_native_boot.  u:object_r:device_config_runtime_native_boot_prop:s0 prefix

 apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
--- a/private/composd.te
+++ b/private/composd.te
@ -31,6 +31,7 @@ allow composd compos_fd_server:process signal;

 # Read ART's properties
 get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)

 # We never create any artifact files directly
 neverallow composd apex_art_data_file:file ~unlink;