Merge "Add persist.sysui.notification.builder_extras_ovrd" am: cf1ac9a714 am: 939325600a am: 870aae8164

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2504995 Change-Id: I03ca086505113b91c427ed176e1d7b42b5cd60e4 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-04-03 15:07:53 +00:00 · 2023-04-03 15:07:53 +00:00 · 4731a1e28d
commit 4731a1e28d
parent 1cc8e33941 870aae8164
7 changed files with 19 additions and 0 deletions
--- a/private/app.te
+++ b/private/app.te
@ -46,6 +46,7 @@ get_prop(appdomain, vold_config_prop)
 get_prop(appdomain, adbd_config_prop)
 get_prop(appdomain, dck_prop)
 get_prop(appdomain, persist_wm_debug_prop)
+get_prop(appdomain, persist_sysui_builder_extras_prop)

 # Allow ART to be configurable via device_config properties
 # (ART "runs" inside the app process)
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -51,6 +51,7 @@
    fuseblkd
    fuseblkd_exec
    permissive_mte_prop
+    persist_sysui_builder_extras_prop
    prng_seeder
    recovery_usb_config_prop
    remote_provisioning_service
--- a/private/platform_app.te
+++ b/private/platform_app.te
@ -45,6 +45,10 @@ userdebug_or_eng(`
 ')
 neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;

+userdebug_or_eng(`
+  set_prop(platform_app, persist_sysui_builder_extras_prop)
+')
+
 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {
  proc_vmstat
@ -122,5 +126,7 @@ virtualizationservice_use(platform_app)
 ### Neverallow rules
 ###

+neverallow { domain -init userdebug_or_eng(`-shell -platform_app') } persist_sysui_builder_extras_prop:property_service set;
+
 # app domains which access /dev/fuse should not run as platform_app
 neverallow platform_app fuse_device:chr_file *;
--- a/private/property.te
+++ b/private/property.te
@ -54,6 +54,7 @@ system_internal_prop(ctl_apex_load_prop)
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(log_file_logger_prop)
+system_restricted_prop(persist_sysui_builder_extras_prop)

 ###
 ### Neverallow rules
--- a/private/property_contexts
+++ b/private/property_contexts
@ -1548,3 +1548,6 @@ vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact stri

 # UVC Gadget property
 ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
+
+# System UI notification properties
+persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
--- a/private/shell.te
+++ b/private/shell.te
@ -243,3 +243,7 @@ userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')

 # Allow shell to write GWP-ASan properties even on user builds.
 set_prop(shell, gwp_asan_prop)
+
+# Allow shell to set persist.sysui.notification.builder_extras_override property
+userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+
--- a/private/system_server.te
+++ b/private/system_server.te
@ -836,6 +836,9 @@ get_prop(system_server, hypervisor_prop)
 # Read persist.wm.debug. properties
 get_prop(system_server, persist_wm_debug_prop)

+# Read persist.sysui.notification.builder_extras_override property
+get_prop(system_server, persist_sysui_builder_extras_prop)
+
 # Read ro.tuner.lazyhal
 get_prop(system_server, tuner_config_prop)
 # Write tuner.server.enable