kcmdlinectrl: define system property for kcmdlinectrl

This defines the kcmdline_prop context for properties controlled by kcmdlinectrl, and defines a property called kcmdline.binder for switching between the Rust and C implementations of the Binder driver. It is intended that additional kcmdline properties introduced in the future would share the same kcmdline_prop context. Test: Verified that setprop/getprop work and that the value is loaded properly at boot Bug: 326222756 Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
2024-02-21 15:18:14 +00:00 · 2024-02-21 15:18:14 +00:00 · 6b9aa6dc33
commit 6b9aa6dc33
parent edfb82499e
7 changed files with 44 additions and 0 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -409,6 +409,7 @@
 /system/bin/perfetto                                              perfetto_exec
 /system/bin/misctrl                                               misctrl_exec
 /system/bin/mtectrl                                               mtectrl_exec
+/system/bin/kcmdlinectrl                                          kcmdlinectrl_exec
 /system/bin/traced                                                traced_exec
 /system/bin/traced_perf                                           traced_perf_exec
 /system/bin/traced_probes                                         traced_probes_exec
--- a/private/domain.te
+++ b/private/domain.te
@ -227,6 +227,7 @@ neverallow {
  -ueventd
  -mtectrl
  -misctrl
+  -kcmdlinectrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };

 # Limit ability to ptrace or read sensitive /proc/pid files of processes
@ -806,6 +807,7 @@ neverallow {
 } system_app_data_file:dir_file_class_set { create unlink open };

 neverallow { domain -init } mtectrl:process { dyntransition transition };
+neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };

 # For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -335,6 +335,7 @@
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/mtectrl         u:object_r:mtectrl_exec:s0
 /system/bin/misctrl         u:object_r:misctrl_exec:s0
+/system/bin/kcmdlinectrl         u:object_r:kcmdlinectrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
--- a/private/kcmdlinectrl.te
+++ b/private/kcmdlinectrl.te
@ -0,0 +1,22 @@
+# kcmdlinectrl is a tool to have the bootloader send kernel commandline flags
+# for enabling dogfood features in the kernel
+type kcmdlinectrl, domain, coredomain;
+type kcmdlinectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(kcmdlinectrl)
+
+# for setting kcmdline properties to match the bootloader state.
+set_prop(kcmdlinectrl, kcmdline_prop)
+
+# kcmdlinectrl communicates the request to the bootloader via the misc partition.
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow kcmdlinectrl misc_block_device:blk_file rw_file_perms;
+allow kcmdlinectrl block_device:dir r_dir_perms;
+read_fstab(kcmdlinectrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit kcmdlinectrl sysfs_dt_firmware_android:dir search;
+dontaudit kcmdlinectrl vendor_property_type:file read;
--- a/private/property.te
+++ b/private/property.te
@ -24,6 +24,7 @@ system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_service_status_private_prop)
 system_internal_prop(init_storage_prop)
 system_internal_prop(init_svc_debug_prop)
+system_internal_prop(kcmdline_prop)
 system_internal_prop(keystore_crash_prop)
 system_internal_prop(keystore_listen_prop)
 system_internal_prop(last_boot_reason_prop)
@ -489,6 +490,15 @@ neverallow {
  gwp_asan_prop
 }:property_service set;

+neverallow {
+  domain
+  -init
+  -shell
+  -kcmdlinectrl
+} {
+  kcmdline_prop
+}:property_service set;
+
 neverallow {
  domain
  -init
--- a/private/property_contexts
+++ b/private/property_contexts
@ -893,6 +893,11 @@ persist.libc.debug.gwp_asan.  u:object_r:gwp_asan_prop:s0 prefix string
 arm64.memtag.         u:object_r:arm64_memtag_prop:s0 prefix string
 persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string

+# kcmdline props for dogfood experiments
+# All kcmdline properties share the kcmdline_prop context
+kcmdline.loaded     u:object_r:kcmdline_prop:s0 exact bool
+kcmdline.binder     u:object_r:kcmdline_prop:s0 exact enum c rust
+
 net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool

 # Settings system properties containing mutable "global" device settings.
--- a/private/shell.te
+++ b/private/shell.te
@ -228,6 +228,9 @@ set_prop(shell, sqlite_log_prop)
 # Allow shell to write MTE properties even on user builds.
 set_prop(shell, arm64_memtag_prop)

+# Allow shell to write kcmdline properties even on user builds.
+set_prop(shell, kcmdline_prop)
+
 # Allow shell to read the dm-verity props on user builds.
 get_prop(shell, verity_status_prop)