platform_system_sepolicy/public/flags_health_check.te
Valerie Hau 7b2a2dff0c Whitelisting window_manager_native_boot system property
Bug: 147096935
Test: build, boot

Change-Id: Iadeefa3cfc9bb17eb19b60dbd18de047fa01b673
2020-01-21 22:54:49 +00:00

34 lines
2.2 KiB
Text

# The flags_health_check command run by init.
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
# system property device_config_reset_performed_prop is used for indicating whether server
# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;