Merge "Add a persist.wm.debug property type and associated permissions" am: bd4cd1ac70

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2005839 Change-Id: I503d0f669c6bc56b8ec881774c2c792ea3be6e48
2022-03-08 02:06:03 +00:00 · 2022-03-08 02:06:03 +00:00 · ded5bd867f
commit ded5bd867f
parent c53a1e6720 bd4cd1ac70
7 changed files with 14 additions and 0 deletions
--- a/private/app.te
+++ b/private/app.te
@ -14,6 +14,7 @@ get_prop(appdomain, userspace_reboot_config_prop)
 get_prop(appdomain, vold_config_prop)
 get_prop(appdomain, adbd_config_prop)
 get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)

 # Allow ART to be configurable via device_config properties
 # (ART "runs" inside the app process)
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -50,6 +50,7 @@
    locale_service
    mdns_service
    nearby_service
+    persist_wm_debug_prop
    proc_watermark_boost_factor
    proc_watermark_scale_factor
    remotelyprovisionedkeypool_service
--- a/private/platform_app.te
+++ b/private/platform_app.te
@ -40,6 +40,10 @@ allow platform_app sdcard_type:file create_file_perms;
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
 get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+  set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;

 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {
--- a/private/property_contexts
+++ b/private/property_contexts
@ -102,6 +102,7 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0
 wrap.                   u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug.       u:object_r:persist_wm_debug_prop:s0

 # Suspend service properties
 suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
--- a/private/shell.te
+++ b/private/shell.te
@ -227,3 +227,6 @@ allow shell apex_info_file:file r_file_perms;
 # Let the shell user call virtualizationservice (and
 # virtualizationservice call back to shell) for debugging.
 virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
--- a/private/system_server.te
+++ b/private/system_server.te
@ -799,6 +799,9 @@ get_prop(system_server, net_464xlat_fromvendor_prop)
 # Read hypervisor capabilities ro.boot.hypervisor.*
 get_prop(system_server, hypervisor_prop)

+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;

--- a/public/property.te
+++ b/public/property.te
@ -74,6 +74,7 @@ system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)
 system_restricted_prop(module_sdkextensions_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(persist_wm_debug_prop)
 system_restricted_prop(power_debug_prop)
 system_restricted_prop(property_service_version_prop)
 system_restricted_prop(provisioned_prop)