Add build properties for attestation feature

The properties for attestation are congifured in build.prop files and used by frameworks Build.java. Allow vendor_init to set these properties and allow Zygote to access them. Bug: 211547922 Test: SELinuxUncheckedDenialBootTest Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
2023-02-01 17:50:57 +08:00 · 2023-02-01 17:50:57 +08:00 · 4c23abb282
commit 4c23abb282
parent 1abf80e5c1
5 changed files with 13 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -9,6 +9,7 @@
    apex_ready_prop
    artd
    bt_device
+    build_attestation_prop
    credential_service
    device_config_camera_native_prop
    device_config_memory_safety_native_prop
--- a/private/incidentd.te
+++ b/private/incidentd.te
@ -193,6 +193,9 @@ userdebug_or_eng(`
  get_prop(incidentd, last_boot_reason_prop);
 ')

+# Allow incident to read the build properties for attestation feature
+get_prop(incidentd, build_attestation_prop);
+
 ###
 ### neverallow rules
 ###
--- a/private/property_contexts
+++ b/private/property_contexts
@ -1067,6 +1067,11 @@ ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
 ro.product.vendor_dlkm.model        u:object_r:build_vendor_prop:s0 exact string
 ro.product.vendor_dlkm.name         u:object_r:build_vendor_prop:s0 exact string

+# build props for attestation feature are set by property_service
+ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.name_for_attestation  u:object_r:build_attestation_prop:s0 exact string
+
 # GRF property for the first api level of the vendor partition
 ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
 ro.board.api_level       u:object_r:build_vendor_prop:s0 exact int
--- a/private/zygote.te
+++ b/private/zygote.te
@ -195,6 +195,9 @@ allow zygote tmpfs:dir r_dir_perms;

 allow zygote same_process_hal_file:file { execute read open getattr map };

+# Allow zygote to read build properties for attestation feature
+get_prop(zygote, build_attestation_prop)
+
 # Allow the zygote to access storage properties to check if sdcardfs is enabled.
 get_prop(zygote, storage_config_prop);

--- a/public/property.te
+++ b/public/property.te
@ -130,6 +130,7 @@ system_vendor_config_prop(apk_verity_prop)
 system_vendor_config_prop(audio_config_prop)
 system_vendor_config_prop(bootanim_config_prop)
 system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_attestation_prop)
 system_vendor_config_prop(build_config_prop)
 system_vendor_config_prop(build_odm_prop)
 system_vendor_config_prop(build_vendor_prop)