Explicitly list "pm.dexopt." sysprops.

Bug: 256639711
Test: m
Change-Id: I5e6bd4fd8ec516a23f4e3a5658a651f04d40412c

private/compat/33.0/33.0.ignore.cil

@@ -51,4 +51,5 @@
     hal_fastboot_service
     hal_can_controller_service
     zoned_block_device
+    future_pm_prop
   ))

private/property_contexts

@@ -592,21 +592,18 @@ ro.hdmi.wake_on_hotplug                                            u:object_r:hd
 ro.hdmi.cec.source.send_standby_on_sleep                           u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
 ro.hdmi.cec.source.playback_device_action_on_routing_control       u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
 
-# This is the namespace of all system properties used by ART Service.
-# As ART Service is in the updatable ART module, we need the prefix to allow us
-# to add new properties.
-pm.dexopt.                                  u:object_r:exported_pm_prop:s0 prefix
-
-# A set of pm.dexopt properties that we should keep supporting for Treble
-# compatibility. We explicitly list them here to discourage renaming or
-# disregarding them.
-pm.dexopt.ab-ota                            u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.bg-dexopt                                     u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot                              u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline                           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt                 u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days     u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.bg-dexopt.concurrency                         u:object_r:exported_pm_prop:s0 exact int
 pm.dexopt.first-boot                                    u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot.concurrency                        u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-ota                                u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-ota.concurrency                    u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-mainline-update                    u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-mainline-update.concurrency        u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.post-boot                                     u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota                                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline                                       u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.inactive                                      u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install                                       u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install-fast                                  u:object_r:exported_pm_prop:s0 exact string
@@ -614,8 +611,14 @@ pm.dexopt.install-bulk                      u:object_r:exported_pm_prop:s0 exact
 pm.dexopt.install-bulk-secondary                        u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install-bulk-downgraded                       u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install-bulk-secondary-downgraded             u:object_r:exported_pm_prop:s0 exact string
+
 pm.dexopt.shared                                        u:object_r:exported_pm_prop:s0 exact string
 
+pm.dexopt.disable_bg_dexopt                             u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days                 u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.                                              u:object_r:future_pm_prop:s0 prefix
+
 ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
 
 ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool

public/domain.te

@@ -537,6 +537,14 @@ compatible_property_only(`
     neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
 ')
 
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
 neverallow { domain -init } userdebug_or_eng_prop:property_service set;

public/property.te

@@ -208,6 +208,7 @@ system_public_prop(exported_system_prop)
 system_public_prop(exported_bluetooth_prop)
 system_public_prop(exported_overlay_prop)
 system_public_prop(exported_pm_prop)
+system_public_prop(future_pm_prop)
 system_public_prop(ffs_control_prop)
 system_public_prop(framework_status_prop)
 system_public_prop(gesture_prop)