Revert "Revert "Define sepolicy for ro.product.vndk.version""

This reverts commit f536a60407.

Reason for revert: Resubmit the CL with the fix in vendor_init.te

Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9

private/compat/26.0/26.0.ignore.cil

@@ -199,6 +199,7 @@
     vendor_apex_file
     vendor_init
     vendor_shell
+    vndk_prop
     vold_metadata_file
     vold_prepare_subdirs
     vold_prepare_subdirs_exec

private/compat/27.0/27.0.ignore.cil

@@ -177,6 +177,7 @@
     vendor_init
     vendor_security_patch_level_prop
     vendor_shell
+    vndk_prop
     vold_metadata_file
     vold_prepare_subdirs
     vold_prepare_subdirs_exec

private/compat/28.0/28.0.ignore.cil

@@ -151,5 +151,6 @@
     vendor_misc_writer
     vendor_misc_writer_exec
     vendor_task_profiles_file
+    vndk_prop
     vrflinger_vsync_service
     watchdogd_tmpfs))

private/compat/29.0/29.0.ignore.cil

@@ -62,4 +62,5 @@
     vendor_boringssl_self_test
     vendor_install_recovery
     vendor_install_recovery_exec
+    vndk_prop
     virtual_ab_prop))

public/domain.te

@@ -101,6 +101,7 @@ get_prop(domain, exported_system_prop)
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
 get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)
 
 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.
@@ -509,6 +510,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 # anyone but init to modify unknown properties.
 neverallow { domain -init -vendor_init } default_prop:property_service set;
 neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
 
 compatible_property_only(`
     neverallow { domain -init } default_prop:property_service set;

public/property.te

@@ -66,6 +66,7 @@ system_restricted_prop(restorecon_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)
 
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE

public/property_contexts

@@ -385,6 +385,7 @@ ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
 ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
 ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
 ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int

public/vendor_init.te

@@ -224,6 +224,7 @@ not_compatible_property(`
       -module_sdkext_prop
       -userspace_reboot_exported_prop
       -userspace_reboot_prop
+      -vndk_prop
     })
 ')