Merge "Update sepolicy for GPU profiling properties." am: f08f743702
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1322279
Change-Id: I787d3a5186bbfe4399cfb4cd67459e9b94fc76ba
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index a03bcb0..b2ddd84 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -35,3 +35,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 6cb333a..21d87ff 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -47,6 +47,7 @@
fwk_automotive_display_hwservice
fusectlfs
gmscore_app
+ graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_service
diff --git a/prebuilts/api/30.0/private/property.te b/prebuilts/api/30.0/private/property.te
index 139c978..511aa5a 100644
--- a/prebuilts/api/30.0/private/property.te
+++ b/prebuilts/api/30.0/private/property.te
@@ -329,3 +329,10 @@
} {
userspace_reboot_test_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index b489f13..b8d9d63 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -699,3 +699,7 @@
cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/prebuilts/api/30.0/private/shell.te b/prebuilts/api/30.0/private/shell.te
index 63757eb..2a2af0f 100644
--- a/prebuilts/api/30.0/private/shell.te
+++ b/prebuilts/api/30.0/private/shell.te
@@ -140,3 +140,6 @@
get_prop(shell, init_perf_lsm_hooks_prop)
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index e4627f7..532366b 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -104,6 +104,7 @@
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
diff --git a/private/app.te b/private/app.te
index 3dff8fe..27ef097 100644
--- a/private/app.te
+++ b/private/app.te
@@ -46,3 +46,6 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index a0229d4..a3b05ad 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -49,6 +49,7 @@
fusectlfs
gmscore_app
gnss_device
+ graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_service
diff --git a/private/property.te b/private/property.te
index 64c8af1..1aa4ddf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -399,3 +399,10 @@
-hal_telephony_server
not_compatible_property(`-vendor_init')
} telephony_status_prop:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 4793437..41eb3c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -851,3 +851,7 @@
persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 63757eb..2a2af0f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -140,3 +140,6 @@
get_prop(shell, init_perf_lsm_hooks_prop)
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)
diff --git a/public/property.te b/public/property.te
index 227384b..0fe8e91 100644
--- a/public/property.te
+++ b/public/property.te
@@ -114,6 +114,7 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(lmkd_config_prop)