From e1ac267ddd25adae9878de64538fa62017eeb5f7 Mon Sep 17 00:00:00 2001
From: Martin Stjernholm <mast@google.com>
Date: Wed, 10 May 2023 16:52:39 +0100
Subject: [PATCH] Allow the ART boot oneshot service to configure ART config
 properties.

Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
      (ag/23125728)
Bug: 281850017
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
(cherry picked from commit 3d7093fd7bc1dffa49db5436081c6f4e49947f26)
Merged-In: I14baf55d07ad559294bd3b7d9562230e78201d25
---
 apex/com.android.art-file_contexts       | 1 +
 apex/com.android.art.debug-file_contexts | 1 +
 private/art_boot.te                      | 9 +++++++++
 private/compat/33.0/33.0.ignore.cil      | 2 ++
 private/domain.te                        | 4 ++++
 public/property.te                       | 2 +-
 public/vendor_init.te                    | 1 +
 7 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 private/art_boot.te

diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index f1aa92b43..ada6c3b3b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_boot                  u:object_r:art_boot_exec:s0
 /bin/art_exec                  u:object_r:art_exec_exec:s0
 /bin/artd                      u:object_r:artd_exec:s0
 /bin/dex2oat(32|64)?           u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index cc60b700f..a3fc35d55 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_boot                  u:object_r:art_boot_exec:s0
 /bin/art_exec                  u:object_r:art_exec_exec:s0
 /bin/artd                      u:object_r:artd_exec:s0
 /bin/dex2oat(d)?(32|64)?       u:object_r:dex2oat_exec:s0
diff --git a/private/art_boot.te b/private/art_boot.te
new file mode 100644
index 000000000..1b088d61f
--- /dev/null
+++ b/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3a4974598..79f925f73 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
   ( new_objects
     adaptive_haptics_prop
     apex_ready_prop
+    art_boot
+    art_boot_exec
     artd
     bt_device
     build_attestation_prop
diff --git a/private/domain.te b/private/domain.te
index 30ceb241f..08adeb852 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -534,6 +534,10 @@ neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
 # Do not allow reading the last boot timestamp from system properties
 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
 
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
 # Kprobes should only be used by adb root
 neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
 
diff --git a/public/property.te b/public/property.te
index 076ced976..acb4033f2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -147,7 +147,6 @@ system_vendor_config_prop(charger_config_prop)
 system_vendor_config_prop(codec2_config_prop)
 system_vendor_config_prop(composd_vm_vendor_prop)
 system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
 system_vendor_config_prop(debugfs_restriction_prop)
 system_vendor_config_prop(drm_service_config_prop)
 system_vendor_config_prop(exported_camera_prop)
@@ -209,6 +208,7 @@ system_public_prop(ctl_default_prop)
 system_public_prop(ctl_interface_start_prop)
 system_public_prop(ctl_start_prop)
 system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
 system_public_prop(dalvik_dynamic_config_prop)
 system_public_prop(dalvik_runtime_prop)
 system_public_prop(debug_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3942c27c5..9dd9898ff 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@ set_prop(vendor_init, bluetooth_config_prop)
 set_prop(vendor_init, camera2_extensions_prop)
 set_prop(vendor_init, camerax_extensions_prop)
 set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
 set_prop(vendor_init, dalvik_dynamic_config_prop)
 set_prop(vendor_init, dalvik_runtime_prop)
 set_prop(vendor_init, debug_prop)