Merge "Allow CompOS to read VM config properties" am: 42f1cad645

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2501960 Change-Id: I0b34e1514aea1ea188dfe3cd93f6e4a95eecf0ec Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-27 08:32:39 +00:00 · 2023-03-27 08:32:39 +00:00 · 36717942d2
commit 36717942d2
parent 1d33d118a5 42f1cad645
4 changed files with 15 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -10,6 +10,8 @@
    artd
    bt_device
    build_attestation_prop
+    composd_vm_art_prop
+    composd_vm_vendor_prop
    credential_service
    device_as_webcam
    device_config_camera_native_prop
--- a/private/composd.te
+++ b/private/composd.te
@ -30,9 +30,16 @@ allow composd apex_compos_data_file:file create_file_perms;
 domain_auto_trans(composd, fd_server_exec, compos_fd_server)
 allow composd compos_fd_server:process signal;

+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
 # Read ART's properties
 get_prop(composd, dalvik_config_prop)
 get_prop(composd, device_config_runtime_native_boot_prop)

 # We never create any artifact files directly
 neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
--- a/private/property_contexts
+++ b/private/property_contexts
@ -1483,6 +1483,10 @@ ro.gms.dck.se_capability u:object_r:dck_prop:s0 exact int
 # virtualization service properties
 virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint

+# composd properties
+composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint
+composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
+
 # properties for the virtual Face HAL
 persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
 persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
--- a/public/property.te
+++ b/public/property.te
@ -65,6 +65,7 @@ system_restricted_prop(boottime_public_prop)
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(composd_vm_art_prop)
 system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_edgetpu_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
@ -142,6 +143,7 @@ system_vendor_config_prop(camera2_extensions_prop)
 system_vendor_config_prop(camerax_extensions_prop)
 system_vendor_config_prop(charger_config_prop)
 system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(composd_vm_vendor_prop)
 system_vendor_config_prop(cpu_variant_prop)
 system_vendor_config_prop(dalvik_config_prop)
 system_vendor_config_prop(debugfs_restriction_prop)