sepolicy: allow surfaceflinger to set surfaceflinger_display_prop
W//system/bin/init: type=1107 audit(0.0:51): uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set }
for property=graphics.display.kernel_idle_timer.enabled pid=643
uid=1000 gid=1003 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:surfaceflinger_display_prop:s0
tclass=property_service permissive=0
Bug: 157513573
Test: surfaceflinger can set graphics.display.kernel_idle_timer.enabled
Test: vendor_init can get graphics.display.kernel_idle_timer.enabled
Change-Id: I78023a7857c8aa81a8863010b875bcb885bae614
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 32f5e1b..c3134f9 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -257,5 +257,5 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-# vendor-init-settable
+# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
diff --git a/prebuilts/api/30.0/private/surfaceflinger.te b/prebuilts/api/30.0/private/surfaceflinger.te
index 36c39d6..2e9ce19 100644
--- a/prebuilts/api/30.0/private/surfaceflinger.te
+++ b/prebuilts/api/30.0/private/surfaceflinger.te
@@ -57,9 +57,7 @@
set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Get properties
-get_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 1e91be0..0b77bb3 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -57,8 +57,6 @@
auditallow system_app exported_system_radio_prop:property_service set;
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
-# Allow Settings to config display kernel idle timer
-set_prop(system_app, surfaceflinger_display_prop)
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 683d871..d9ac231 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -76,6 +76,7 @@
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -165,7 +166,6 @@
system_public_prop(powerctl_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
-system_public_prop(surfaceflinger_display_prop)
system_public_prop(system_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -611,8 +611,7 @@
neverallow {
-init
- -vendor_init
- -system_app
+ -surfaceflinger
} {
surfaceflinger_display_prop
}:property_service set;
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index 2d091e7..df203be 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -234,7 +234,6 @@
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, storage_config_prop)
-set_prop(vendor_init, surfaceflinger_display_prop)
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
@@ -245,6 +244,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)
get_prop(vendor_init, ota_prop)
diff --git a/private/property.te b/private/property.te
index c5a4f83..b5505e5 100644
--- a/private/property.te
+++ b/private/property.te
@@ -409,8 +409,7 @@
neverallow {
-init
- -vendor_init
- -system_app
+ -surfaceflinger
} {
surfaceflinger_display_prop
}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index bab2a1a..e75fd04 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -859,6 +859,6 @@
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
-# vendor-init-settable
+# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a160246..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -56,9 +56,7 @@
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Get properties
-get_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 18d4a87..e160ff4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,8 +57,6 @@
auditallow system_app usb_prop:property_service set;
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
-# Allow Settings to config display kernel idle timer
-set_prop(system_app, surfaceflinger_display_prop)
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/public/property.te b/public/property.te
index 3248c2b..5771a35 100644
--- a/public/property.te
+++ b/public/property.te
@@ -71,6 +71,7 @@
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(usb_prop)
@@ -169,7 +170,6 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(surfaceflinger_color_prop)
-system_public_prop(surfaceflinger_display_prop)
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c7a3a20..c742206 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -233,7 +233,6 @@
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, surfaceflinger_color_prop)
set_prop(vendor_init, usb_control_prop)
-set_prop(vendor_init, surfaceflinger_display_prop)
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
@@ -248,6 +247,7 @@
get_prop(vendor_init, ota_prop)
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)