Merge "Sepolicy: add dynamic_system_prop"

2019-05-01 10:33:29 +00:00 · 2019-05-01 10:33:29 +00:00 · 4eb1a20c77
commit 4eb1a20c77
parent 6acaea456f 565384db61
6 changed files with 11 additions and 0 deletions
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -47,6 +47,7 @@
    device_config_sys_traced_prop
    dnsresolver_service
    dynamic_android_service
+    dynamic_system_prop
    face_service
    face_vendor_data_file
    fastbootd
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -162,6 +162,9 @@ allow priv_app incidentd:fifo_file { read write };
 # profileable/debuggable.
 can_profile_heap(priv_app)

+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
--- a/private/property_contexts
+++ b/private/property_contexts
@ -59,6 +59,7 @@ persist.mmc.            u:object_r:mmc_prop:s0
 persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0
--- a/private/system_app.te
+++ b/private/system_app.te
@ -49,6 +49,8 @@ userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
 auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)

 # ctl interface
 set_prop(system_app, ctl_default_prop)
--- a/public/property.te
+++ b/public/property.te
@ -43,6 +43,7 @@ type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
 type dumpstate_prop, property_type, core_property_type;
+type dynamic_system_prop, property_type;
 type exported_secure_prop, property_type;
 type ffs_prop, property_type, core_property_type;
 type fingerprint_prop, property_type, core_property_type;
@ -423,6 +424,7 @@ compatible_property_only(`
    -device_config_runtime_native_prop
    -device_config_media_native_prop
    -device_config_sys_traced_prop
+    -dynamic_system_prop
    -gsid_prop
    -heapprofd_enabled_prop
    -heapprofd_prop
--- a/public/shell.te
+++ b/public/shell.te
@ -80,6 +80,8 @@ userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
 set_prop(shell, heapprofd_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)

 userdebug_or_eng(`
  # "systrace --boot" support - allow boottrace service to run