SELinux configuration for memory safety device configs.

These will get read by system libraries in arbitrary processes, so it's a public property with read access by `domain`. Bug: 235129567 Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
2022-06-08 10:45:18 -07:00 · 2022-06-08 10:45:18 -07:00 · 5b3a8333af
commit 5b3a8333af
parent 981f5581f6
6 changed files with 7 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
  ( new_objects
+    device_config_memory_safety_native_prop
    device_config_vendor_system_native_prop
    hal_bootctl_service
    permissive_mte_prop
--- a/private/domain.te
+++ b/private/domain.te
@ -80,6 +80,8 @@ get_prop(domain, bq_config_prop);
 # Allow all domains to check whether MTE is set to permissive mode.
 get_prop(domain, permissive_mte_prop);

+get_prop(domain, device_config_memory_safety_native_prop);
+
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@ -25,6 +25,7 @@ set_prop(flags_health_check, device_config_connectivity_prop)
 set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
 set_prop(flags_health_check, device_config_vendor_system_native_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)

 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
--- a/private/property_contexts
+++ b/private/property_contexts
@ -259,6 +259,7 @@ persist.device_config.swcodec_native.               u:object_r:device_config_swc
 persist.device_config.vendor_system_native.         u:object_r:device_config_vendor_system_native_prop:s0
 persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native.         u:object_r:device_config_memory_safety_native_prop:s0

 # F2FS smart idle maint prop
 persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
--- a/private/system_server.te
+++ b/private/system_server.te
@ -762,6 +762,7 @@ set_prop(system_server, device_config_connectivity_prop)
 set_prop(system_server, device_config_surface_flinger_native_boot_prop)
 set_prop(system_server, device_config_vendor_system_native_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)

 # Allow query ART device config properties
--- a/public/property.te
+++ b/public/property.te
@ -193,6 +193,7 @@ system_public_prop(ctl_start_prop)
 system_public_prop(ctl_stop_prop)
 system_public_prop(dalvik_runtime_prop)
 system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_prop)
 system_public_prop(dumpstate_options_prop)
 system_public_prop(exported_system_prop)
 system_public_prop(exported_bluetooth_prop)