From a45646c024da96ff9b386dfafa6b42155a43ed63 Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Wed, 22 Mar 2023 09:48:30 +0000 Subject: [PATCH] Allow CompOS to read VM config properties We want to allow both the VM and ART to contribute to the VM config (e.g. memory size), so define labels for 2 sets of properties and grant the necessary access. Bug: 274102209 Test: builds Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568 --- private/compat/33.0/33.0.ignore.cil | 2 ++ private/composd.te | 7 +++++++ private/property_contexts | 4 ++++ public/property.te | 2 ++ 4 files changed, 15 insertions(+) diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil index 3b61f738d..4df0d0b1b 100644 --- a/private/compat/33.0/33.0.ignore.cil +++ b/private/compat/33.0/33.0.ignore.cil @@ -10,6 +10,8 @@ artd bt_device build_attestation_prop + composd_vm_art_prop + composd_vm_vendor_prop credential_service device_as_webcam device_config_camera_native_prop diff --git a/private/composd.te b/private/composd.te index 96991c6fe..68dd99324 100644 --- a/private/composd.te +++ b/private/composd.te @@ -30,9 +30,16 @@ allow composd apex_compos_data_file:file create_file_perms; domain_auto_trans(composd, fd_server_exec, compos_fd_server) allow composd compos_fd_server:process signal; +# Read properties used to configure the CompOS VM +get_prop(composd, composd_vm_art_prop) +get_prop(composd, composd_vm_vendor_prop) + # Read ART's properties get_prop(composd, dalvik_config_prop) get_prop(composd, device_config_runtime_native_boot_prop) # We never create any artifact files directly neverallow composd apex_art_data_file:file create; + +# ART sets these properties via init script, nothing else should +neverallow { domain -init } composd_vm_art_prop:property_service set; diff --git a/private/property_contexts b/private/property_contexts index 269442d9a..03b82bd8e 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -1479,6 +1479,10 @@ ro.gms.dck.se_capability u:object_r:dck_prop:s0 exact int # virtualization service properties virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint +# composd properties +composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint +composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int + # properties for the virtual Face HAL persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string diff --git a/public/property.te b/public/property.te index 74dd0f52a..2f37b93ef 100644 --- a/public/property.te +++ b/public/property.te @@ -65,6 +65,7 @@ system_restricted_prop(boottime_public_prop) system_restricted_prop(bq_config_prop) system_restricted_prop(build_bootimage_prop) system_restricted_prop(build_prop) +system_restricted_prop(composd_vm_art_prop) system_restricted_prop(device_config_camera_native_prop) system_restricted_prop(device_config_edgetpu_native_prop) system_restricted_prop(device_config_nnapi_native_prop) @@ -142,6 +143,7 @@ system_vendor_config_prop(camera2_extensions_prop) system_vendor_config_prop(camerax_extensions_prop) system_vendor_config_prop(charger_config_prop) system_vendor_config_prop(codec2_config_prop) +system_vendor_config_prop(composd_vm_vendor_prop) system_vendor_config_prop(cpu_variant_prop) system_vendor_config_prop(dalvik_config_prop) system_vendor_config_prop(debugfs_restriction_prop)