Merge "Adds new policy for init_svc_debug_prop."

private/compat/29.0/29.0.ignore.cil

@@ -12,6 +12,7 @@
     device_config_sys_traced_prop
     hal_can_bus_hwservice
     hal_can_controller_hwservice
+    init_svc_debug_prop
     ota_metadata_file
     runtime_apex_dir
     system_ashmem_hwservice

private/property_contexts

@@ -35,6 +35,7 @@ debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
 dumpstate.options       u:object_r:dumpstate_options_prop:s0
+init.svc_debug_pid.     u:object_r:init_svc_debug_prop:s0
 llk.                    u:object_r:llkd_prop:s0
 khungtask.              u:object_r:llkd_prop:s0
 ro.llk.                 u:object_r:llkd_prop:s0

public/property.te

@@ -55,6 +55,7 @@ type gsid_prop, property_type;
 type heapprofd_enabled_prop, property_type;
 type heapprofd_prop, property_type;
 type hwservicemanager_prop, property_type;
+type init_svc_debug_prop, property_type;
 type last_boot_reason_prop, property_type;
 type system_lmk_prop, property_type;
 type llkd_prop, property_type;
@@ -190,6 +191,18 @@ dontaudit domain {
   ctl_rildaemon_prop
 }:property_service set;
 
+neverallow {
+  domain
+  -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -dumpstate
+  userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
 compatible_property_only(`
 # Prevent properties from being set
   neverallow {

public/vendor_init.te

@@ -217,6 +217,7 @@ not_compatible_property(`
       -apexd_prop
       -gsid_prop
       -nnapi_ext_deny_product_prop
+      -init_svc_debug_prop
     })
 ')