commit 0b2ca6c22cd0ac7a204adf5d0efd80d5d71b5564
author Calin Juravle <calin@google.com> Tue May 18 15:33:08 2021 -0700
committer Calin Juravle <calin@google.com> Tue Jun 01 16:14:55 2021 -0700
tree 3e7ec494ae5f68cd23b22e6f7aa9c0be93f5c3c6
parent 7e7b6ab054ec88e3498b7f1baf47947a4748e748

Enable ART properties modularization

ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:

- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART

Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832

private/app.te

diff --git a/private/app.te b/private/app.te
index 94d24e0..2b3554f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,11 @@
 get_prop(appdomain, vold_config_prop)
 get_prop(appdomain, adbd_config_prop)
 
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
 userdebug_or_eng(`perfetto_producer({ appdomain })')
 
 # Prevent apps from causing presubmit failures.

private/app_zygote.te

diff --git a/private/app_zygote.te b/private/app_zygote.te
index 7f2236c..4ee3af7 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -75,6 +75,10 @@
 # Send unsolicited message to system_server
 unix_socket_send(app_zygote, system_unsolzygote, system_server)
 
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
 #####
 ##### Neverallow
 #####

private/artd.te

diff --git a/private/artd.te b/private/artd.te
index a76074b..0aa12dc 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -10,3 +10,7 @@
 typeattribute artd coredomain;
 
 init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)

private/dexoptanalyzer.te

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 5f0a41e..d194acb 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -47,3 +47,7 @@
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)

private/odrefresh.te

diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ea8ad2..7a64247 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -48,3 +48,7 @@
 
 # Allow updating boot animation status.
 set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 79b8015..605e912 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -330,7 +330,13 @@
 
 ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
 
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
+dalvik.vm.                 u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm.              u:object_r:dalvik_config_prop:s0
+ro.zygote                  u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.always_debuggable                   u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.appimageformat                      u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.backgroundgctype                    u:object_r:dalvik_config_prop:s0 exact string
@@ -406,7 +412,6 @@
 dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.usejitprofiles                      u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
-ro.zygote                                     u:object_r:dalvik_config_prop:s0 exact string
 
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
 
@@ -494,8 +499,6 @@
 ro.crypto.volume.metadata.method                u:object_r:vold_config_prop:s0 exact string
 ro.crypto.volume.options                        u:object_r:vold_config_prop:s0 exact string
 
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-
 external_storage.projid.enabled   u:object_r:storage_config_prop:s0 exact bool
 external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 7239a30..0e57739 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -706,6 +706,11 @@
 set_prop(system_server, device_config_configuration_prop)
 set_prop(system_server, device_config_connectivity_prop)
 
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
 # BootReceiver to read ro.boot.bootreason
 get_prop(system_server, bootloader_boot_reason_prop)
 # PowerManager to read sys.boot.reason

private/webview_zygote.te

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3f217e1..10bcf1c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,10 @@
 # Send unsolicited message to system_server
 unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
 #####
 ##### Neverallow
 #####

public/profman.te

diff --git a/public/profman.te b/public/profman.te
index 8ff6271..c014d79 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -22,6 +22,10 @@
 allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
 allow profman { privapp_data_file app_data_file }:dir { getattr read search };
 
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
 ###
 ### neverallow rules
 ###

public/property.te

diff --git a/public/property.te b/public/property.te
index eca1a8c..57146a4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,6 @@
 system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(device_config_runtime_native_boot_prop)
-system_internal_prop(device_config_runtime_native_prop)
 system_internal_prop(firstboot_prop)
 
 compatible_property_only(`
@@ -67,6 +65,8 @@
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(hal_instrumentation_prop)
 system_restricted_prop(init_service_status_prop)