From 3d7093fd7bc1dffa49db5436081c6f4e49947f26 Mon Sep 17 00:00:00 2001 From: Martin Stjernholm Date: Wed, 10 May 2023 16:52:39 +0100 Subject: [PATCH] Allow the ART boot oneshot service to configure ART config properties. Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/ (ag/23125728) Bug: 281850017 Ignore-AOSP-First: Will cherry-pick to AOSP later Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25 --- apex/com.android.art-file_contexts | 1 + apex/com.android.art.debug-file_contexts | 1 + prebuilts/api/34.0/private/art_boot.te | 9 +++++++++ prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil | 2 ++ prebuilts/api/34.0/private/domain.te | 4 ++++ prebuilts/api/34.0/public/property.te | 2 +- prebuilts/api/34.0/public/vendor_init.te | 1 + private/art_boot.te | 9 +++++++++ private/compat/33.0/33.0.ignore.cil | 2 ++ private/domain.te | 4 ++++ public/property.te | 2 +- public/vendor_init.te | 1 + 12 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 prebuilts/api/34.0/private/art_boot.te create mode 100644 private/art_boot.te diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts index f1aa92b43..ada6c3b3b 100644 --- a/apex/com.android.art-file_contexts +++ b/apex/com.android.art-file_contexts @@ -2,6 +2,7 @@ # System files # (/.*)? u:object_r:system_file:s0 +/bin/art_boot u:object_r:art_boot_exec:s0 /bin/art_exec u:object_r:art_exec_exec:s0 /bin/artd u:object_r:artd_exec:s0 /bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0 diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts index cc60b700f..a3fc35d55 100644 --- a/apex/com.android.art.debug-file_contexts +++ b/apex/com.android.art.debug-file_contexts @@ -2,6 +2,7 @@ # System files # (/.*)? u:object_r:system_file:s0 +/bin/art_boot u:object_r:art_boot_exec:s0 /bin/art_exec u:object_r:art_exec_exec:s0 /bin/artd u:object_r:artd_exec:s0 /bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0 diff --git a/prebuilts/api/34.0/private/art_boot.te b/prebuilts/api/34.0/private/art_boot.te new file mode 100644 index 000000000..1b088d61f --- /dev/null +++ b/prebuilts/api/34.0/private/art_boot.te @@ -0,0 +1,9 @@ +# ART boot oneshot service +type art_boot, domain, coredomain; +type art_boot_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(art_boot) + +# Allow ART to set its config properties at boot, mainly to be able to propagate +# experiment flags to properties that only may change at boot. +set_prop(art_boot, dalvik_config_prop_type) diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil index 54078ba64..3ad58d585 100644 --- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil +++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil @@ -7,6 +7,8 @@ ( new_objects adaptive_haptics_prop apex_ready_prop + art_boot + art_boot_exec artd bt_device build_attestation_prop diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te index 26d975064..c08f04160 100644 --- a/prebuilts/api/34.0/private/domain.te +++ b/prebuilts/api/34.0/private/domain.te @@ -539,6 +539,10 @@ neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; # Do not allow reading the last boot timestamp from system properties neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; +# Allow ART to set its config properties in its oneshot boot service, in +# addition to the common init and vendor_init access. +neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; + # Kprobes should only be used by adb root neverallow { domain -init -vendor_init } debugfs_kprobes:file *; diff --git a/prebuilts/api/34.0/public/property.te b/prebuilts/api/34.0/public/property.te index 5ee8d60b6..798836931 100644 --- a/prebuilts/api/34.0/public/property.te +++ b/prebuilts/api/34.0/public/property.te @@ -147,7 +147,6 @@ system_vendor_config_prop(charger_config_prop) system_vendor_config_prop(codec2_config_prop) system_vendor_config_prop(composd_vm_vendor_prop) system_vendor_config_prop(cpu_variant_prop) -system_vendor_config_prop(dalvik_config_prop) system_vendor_config_prop(debugfs_restriction_prop) system_vendor_config_prop(drm_service_config_prop) system_vendor_config_prop(exported_camera_prop) @@ -210,6 +209,7 @@ system_public_prop(ctl_default_prop) system_public_prop(ctl_interface_start_prop) system_public_prop(ctl_start_prop) system_public_prop(ctl_stop_prop) +system_public_prop(dalvik_config_prop) system_public_prop(dalvik_dynamic_config_prop) system_public_prop(dalvik_runtime_prop) system_public_prop(debug_prop) diff --git a/prebuilts/api/34.0/public/vendor_init.te b/prebuilts/api/34.0/public/vendor_init.te index 3942c27c5..9dd9898ff 100644 --- a/prebuilts/api/34.0/public/vendor_init.te +++ b/prebuilts/api/34.0/public/vendor_init.te @@ -235,6 +235,7 @@ set_prop(vendor_init, bluetooth_config_prop) set_prop(vendor_init, camera2_extensions_prop) set_prop(vendor_init, camerax_extensions_prop) set_prop(vendor_init, cpu_variant_prop) +set_prop(vendor_init, dalvik_config_prop) set_prop(vendor_init, dalvik_dynamic_config_prop) set_prop(vendor_init, dalvik_runtime_prop) set_prop(vendor_init, debug_prop) diff --git a/private/art_boot.te b/private/art_boot.te new file mode 100644 index 000000000..1b088d61f --- /dev/null +++ b/private/art_boot.te @@ -0,0 +1,9 @@ +# ART boot oneshot service +type art_boot, domain, coredomain; +type art_boot_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(art_boot) + +# Allow ART to set its config properties at boot, mainly to be able to propagate +# experiment flags to properties that only may change at boot. +set_prop(art_boot, dalvik_config_prop_type) diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil index 54078ba64..3ad58d585 100644 --- a/private/compat/33.0/33.0.ignore.cil +++ b/private/compat/33.0/33.0.ignore.cil @@ -7,6 +7,8 @@ ( new_objects adaptive_haptics_prop apex_ready_prop + art_boot + art_boot_exec artd bt_device build_attestation_prop diff --git a/private/domain.te b/private/domain.te index 26d975064..c08f04160 100644 --- a/private/domain.te +++ b/private/domain.te @@ -539,6 +539,10 @@ neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; # Do not allow reading the last boot timestamp from system properties neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; +# Allow ART to set its config properties in its oneshot boot service, in +# addition to the common init and vendor_init access. +neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; + # Kprobes should only be used by adb root neverallow { domain -init -vendor_init } debugfs_kprobes:file *; diff --git a/public/property.te b/public/property.te index 5ee8d60b6..798836931 100644 --- a/public/property.te +++ b/public/property.te @@ -147,7 +147,6 @@ system_vendor_config_prop(charger_config_prop) system_vendor_config_prop(codec2_config_prop) system_vendor_config_prop(composd_vm_vendor_prop) system_vendor_config_prop(cpu_variant_prop) -system_vendor_config_prop(dalvik_config_prop) system_vendor_config_prop(debugfs_restriction_prop) system_vendor_config_prop(drm_service_config_prop) system_vendor_config_prop(exported_camera_prop) @@ -210,6 +209,7 @@ system_public_prop(ctl_default_prop) system_public_prop(ctl_interface_start_prop) system_public_prop(ctl_start_prop) system_public_prop(ctl_stop_prop) +system_public_prop(dalvik_config_prop) system_public_prop(dalvik_dynamic_config_prop) system_public_prop(dalvik_runtime_prop) system_public_prop(debug_prop) diff --git a/public/vendor_init.te b/public/vendor_init.te index 3942c27c5..9dd9898ff 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -235,6 +235,7 @@ set_prop(vendor_init, bluetooth_config_prop) set_prop(vendor_init, camera2_extensions_prop) set_prop(vendor_init, camerax_extensions_prop) set_prop(vendor_init, cpu_variant_prop) +set_prop(vendor_init, dalvik_config_prop) set_prop(vendor_init, dalvik_dynamic_config_prop) set_prop(vendor_init, dalvik_runtime_prop) set_prop(vendor_init, debug_prop)