Update sepolicy for GPU profiling properties.
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.
Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index a03bcb0..b2ddd84 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -35,3 +35,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index f84e922..0f1d285 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -46,6 +46,7 @@
file_integrity_service
fwk_automotive_display_hwservice
gmscore_app
+ graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_service
diff --git a/prebuilts/api/30.0/private/property.te b/prebuilts/api/30.0/private/property.te
index 139c978..511aa5a 100644
--- a/prebuilts/api/30.0/private/property.te
+++ b/prebuilts/api/30.0/private/property.te
@@ -329,3 +329,10 @@
} {
userspace_reboot_test_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index b489f13..b8d9d63 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -699,3 +699,7 @@
cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/prebuilts/api/30.0/private/shell.te b/prebuilts/api/30.0/private/shell.te
index 63757eb..2a2af0f 100644
--- a/prebuilts/api/30.0/private/shell.te
+++ b/prebuilts/api/30.0/private/shell.te
@@ -140,3 +140,6 @@
get_prop(shell, init_perf_lsm_hooks_prop)
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index e4627f7..532366b 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -104,6 +104,7 @@
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
diff --git a/private/app.te b/private/app.te
index 3dff8fe..27ef097 100644
--- a/private/app.te
+++ b/private/app.te
@@ -46,3 +46,6 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ed41f76..473062a 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -48,6 +48,7 @@
fwk_automotive_display_hwservice
gmscore_app
gnss_device
+ graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_service
diff --git a/private/property.te b/private/property.te
index 64c8af1..1aa4ddf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -399,3 +399,10 @@
-hal_telephony_server
not_compatible_property(`-vendor_init')
} telephony_status_prop:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 4793437..41eb3c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -851,3 +851,7 @@
persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 63757eb..2a2af0f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -140,3 +140,6 @@
get_prop(shell, init_perf_lsm_hooks_prop)
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)
diff --git a/public/property.te b/public/property.te
index 227384b..0fe8e91 100644
--- a/public/property.te
+++ b/public/property.te
@@ -114,6 +114,7 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(lmkd_config_prop)