From 2d6c9f0fe897564351125bf1b6439d0d49e1f251 Mon Sep 17 00:00:00 2001
From: Xiao Ma <xiaom@google.com>
Date: Tue, 2 Feb 2021 10:27:38 +0000
Subject: [PATCH] Allow connectivity namespace to enable native level access
 flags.

Follow the steps: go/android-native-flag-api-manual

Bug: 179099277
Test: m -j
Test: manually verify connection to wifi after flash
Change-Id: Ieb5355d40aec9ed7a42b7ae5b250b696fcf00810
---
 private/compat/30.0/30.0.ignore.cil | 1 +
 private/flags_health_check.te       | 1 +
 private/network_stack.te            | 3 +++
 private/property.te                 | 1 +
 private/property_contexts           | 1 +
 private/system_server.te            | 2 ++
 6 files changed, 9 insertions(+)

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2a960e5e5..85902aa95 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -21,6 +21,7 @@
     debugfs_kprobes
     debugfs_mm_events_tracing
     device_config_profcollect_native_boot_prop
+    device_config_connectivity_prop
     device_state_service
     dm_user_device
     dmabuf_heap_device
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index de5f37e53..983bad685 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -17,6 +17,7 @@ set_prop(flags_health_check, device_config_storage_native_boot_prop)
 set_prop(flags_health_check, device_config_sys_traced_prop)
 set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/network_stack.te b/private/network_stack.te
index ab5a56e8f..f130e8020 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -44,3 +44,6 @@ allow network_stack bpfloader:bpf { map_read map_write prog_run };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 # TODO: Remove this permission when 4.9 kernel is deprecated.
 allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
diff --git a/private/property.te b/private/property.te
index 0885b91b0..5dc75b8b9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -8,6 +8,7 @@ system_internal_prop(device_config_storage_native_boot_prop)
 system_internal_prop(device_config_sys_traced_prop)
 system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 5b832dc57..9abc227af 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -221,6 +221,7 @@ device_config.reset_performed                       u:object_r:device_config_res
 persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
 persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
 persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
 persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0
 persist.device_config.media_native.                 u:object_r:device_config_media_native_prop:s0
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 4eb2d38e5..6c2111b7c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -664,6 +664,7 @@ set_prop(system_server, device_config_storage_native_boot_prop)
 set_prop(system_server, device_config_sys_traced_prop)
 set_prop(system_server, device_config_window_manager_native_boot_prop)
 set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)
 
 # BootReceiver to read ro.boot.bootreason
 get_prop(system_server, bootloader_boot_reason_prop)
@@ -1113,6 +1114,7 @@ neverallow {
   -flags_health_check
 } {
   device_config_activity_manager_native_boot_prop
+  device_config_connectivity_prop
   device_config_input_native_boot_prop
   device_config_netd_native_prop
   device_config_runtime_native_boot_prop