Merge "Add sepolicy for KeyMint VM system properties exposed to vendors" into main
diff --git a/private/property.te b/private/property.te
index 135bcad..e098fb2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -99,6 +99,11 @@
system_restricted_prop(profcollectd_etr_prop)
')
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
+
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
diff --git a/private/property_contexts b/private/property_contexts
index eaa55b9..163c873 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1772,3 +1772,7 @@
# Properties related to Trusty VMs
trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+
+# Properties that allows vendors to enable Trusty security VM features
+trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
diff --git a/public/property.te b/public/property.te
index a186f04..cb18741 100644
--- a/public/property.te
+++ b/public/property.te
@@ -206,6 +206,9 @@
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
system_vendor_config_prop(pm_archiving_enabled_prop)
+starting_at_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
# Properties with no restrictions
system_public_prop(adbd_config_prop)