Allow the ART boot oneshot service to configure ART config properties.
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
(ag/23125728)
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index f1aa92b..ada6c3b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_boot u:object_r:art_boot_exec:s0
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index cc60b70..a3fc35d 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_boot u:object_r:art_boot_exec:s0
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
diff --git a/prebuilts/api/34.0/private/art_boot.te b/prebuilts/api/34.0/private/art_boot.te
new file mode 100644
index 0000000..1b088d6
--- /dev/null
+++ b/prebuilts/api/34.0/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 54078ba..3ad58d5 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
adaptive_haptics_prop
apex_ready_prop
+ art_boot
+ art_boot_exec
artd
bt_device
build_attestation_prop
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index 26d9750..c08f041 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -539,6 +539,10 @@
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/34.0/public/property.te b/prebuilts/api/34.0/public/property.te
index 5ee8d60..7988369 100644
--- a/prebuilts/api/34.0/public/property.te
+++ b/prebuilts/api/34.0/public/property.te
@@ -147,7 +147,6 @@
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
@@ -210,6 +209,7 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
diff --git a/prebuilts/api/34.0/public/vendor_init.te b/prebuilts/api/34.0/public/vendor_init.te
index 3942c27..9dd9898 100644
--- a/prebuilts/api/34.0/public/vendor_init.te
+++ b/prebuilts/api/34.0/public/vendor_init.te
@@ -235,6 +235,7 @@
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
diff --git a/private/art_boot.te b/private/art_boot.te
new file mode 100644
index 0000000..1b088d6
--- /dev/null
+++ b/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 54078ba..3ad58d5 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
adaptive_haptics_prop
apex_ready_prop
+ art_boot
+ art_boot_exec
artd
bt_device
build_attestation_prop
diff --git a/private/domain.te b/private/domain.te
index 26d9750..c08f041 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -539,6 +539,10 @@
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/public/property.te b/public/property.te
index 5ee8d60..7988369 100644
--- a/public/property.te
+++ b/public/property.te
@@ -147,7 +147,6 @@
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
@@ -210,6 +209,7 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3942c27..9dd9898 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)