From b6142ecc22186b208b6cf392e12bf02e35acb23a Mon Sep 17 00:00:00 2001 From: rnlee Date: Tue, 29 Jun 2021 13:48:27 -0700 Subject: [PATCH] Add sepolicy SF native boot namespace. Following go/android-native-flag-api-manual. Bug: 190769260 Test: make. Change-Id: I84fe7e9d046fbbe737f09043589b19e71981f521 --- private/flags_health_check.te | 1 + private/property.te | 1 + private/property_contexts | 1 + private/surfaceflinger.te | 1 + private/system_server.te | 3 ++- 5 files changed, 6 insertions(+), 1 deletion(-) diff --git a/private/flags_health_check.te b/private/flags_health_check.te index 55d1a9a7b..f6675ac59 100644 --- a/private/flags_health_check.te +++ b/private/flags_health_check.te @@ -19,6 +19,7 @@ set_prop(flags_health_check, device_config_sys_traced_prop) set_prop(flags_health_check, device_config_window_manager_native_boot_prop) set_prop(flags_health_check, device_config_configuration_prop) set_prop(flags_health_check, device_config_connectivity_prop) +set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop) # system property device_config_boot_count_prop is used for deciding when to perform server # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a diff --git a/private/property.te b/private/property.te index 01d4fd95b..d6ddbdf91 100644 --- a/private/property.te +++ b/private/property.te @@ -10,6 +10,7 @@ system_internal_prop(device_config_window_manager_native_boot_prop) system_internal_prop(device_config_configuration_prop) system_internal_prop(device_config_connectivity_prop) system_internal_prop(device_config_swcodec_native_prop) +system_internal_prop(device_config_surface_flinger_native_boot_prop) system_internal_prop(fastbootd_protocol_prop) system_internal_prop(gsid_prop) system_internal_prop(init_perf_lsm_hooks_prop) diff --git a/private/property_contexts b/private/property_contexts index 62862e9ab..326232dd7 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -241,6 +241,7 @@ persist.device_config.runtime_native_boot. u:object_r:device_config_run persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0 persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0 persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0 +persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0 persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0 persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0 diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 820372421..f99ce96ac 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -61,6 +61,7 @@ set_prop(surfaceflinger, surfaceflinger_display_prop) # Get properties. get_prop(surfaceflinger, qemu_sf_lcd_density_prop) +get_prop(network_stack, device_config_surface_flinger_native_boot_prop) # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; diff --git a/private/system_server.te b/private/system_server.te index d76a2a8ef..8ea6e5023 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -708,7 +708,7 @@ set_prop(system_server, device_config_sys_traced_prop) set_prop(system_server, device_config_window_manager_native_boot_prop) set_prop(system_server, device_config_configuration_prop) set_prop(system_server, device_config_connectivity_prop) - +set_prop(system_server, device_config_surface_flinger_native_boot_prop) # Allow query ART device config properties get_prop(system_server, device_config_runtime_native_boot_prop) @@ -1216,6 +1216,7 @@ neverallow { device_config_runtime_native_prop device_config_media_native_prop device_config_storage_native_boot_prop + device_config_surface_flinger_native_boot_prop device_config_sys_traced_prop device_config_swcodec_native_prop device_config_window_manager_native_boot_prop