Allow zygotes and installd to read odsign properties am: be6873bd15

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15175855

Change-Id: Ifc7d1e03057e1fad472d438ddee54f988dab9347

prebuilts/api/31.0/private/app_zygote.te

@@ -79,6 +79,9 @@ unix_socket_send(app_zygote, system_unsolzygote, system_server)
 get_prop(app_zygote, device_config_runtime_native_prop)
 get_prop(app_zygote, device_config_runtime_native_boot_prop)
 
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####

prebuilts/api/31.0/private/installd.te

@@ -40,6 +40,9 @@ get_prop(installd, device_config_runtime_native_boot_prop)
 # Allow installd to access apk verity feature flag (for legacy case).
 get_prop(installd, apk_verity_prop)
 
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };

prebuilts/api/31.0/private/webview_zygote.te

@@ -87,6 +87,9 @@ unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 get_prop(webview_zygote, device_config_runtime_native_prop)
 get_prop(webview_zygote, device_config_runtime_native_boot_prop)
 
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####

prebuilts/api/31.0/private/zygote.te

@@ -217,6 +217,9 @@ unix_socket_send(zygote, system_unsolzygote, system_server)
 # Allow zygote to access media_variant_prop for static initialization
 get_prop(zygote, media_variant_prop)
 
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
 get_prop(zygote, packagemanager_config_prop)
 

private/app_zygote.te

@@ -79,6 +79,9 @@ unix_socket_send(app_zygote, system_unsolzygote, system_server)
 get_prop(app_zygote, device_config_runtime_native_prop)
 get_prop(app_zygote, device_config_runtime_native_boot_prop)
 
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####

private/installd.te

@@ -40,6 +40,9 @@ get_prop(installd, device_config_runtime_native_boot_prop)
 # Allow installd to access apk verity feature flag (for legacy case).
 get_prop(installd, apk_verity_prop)
 
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };

private/webview_zygote.te

@@ -87,6 +87,9 @@ unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 get_prop(webview_zygote, device_config_runtime_native_prop)
 get_prop(webview_zygote, device_config_runtime_native_boot_prop)
 
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####

private/zygote.te

@@ -217,6 +217,9 @@ unix_socket_send(zygote, system_unsolzygote, system_server)
 # Allow zygote to access media_variant_prop for static initialization
 get_prop(zygote, media_variant_prop)
 
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
 get_prop(zygote, packagemanager_config_prop)