Add build properties for attestation feature
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow vendor_init to set these properties and allow Zygote to access
them.
Bug: 211547922
Test: SELinuxUncheckedDenialBootTest
Change-Id: I5666524a9708c6fefe113ad4109b8a344405ad57
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 6808973..ba25e04 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,6 +9,7 @@
apex_ready_prop
artd
bt_device
+ build_attestation_prop
credential_service
device_config_camera_native_prop
device_config_memory_safety_native_prop
diff --git a/private/incidentd.te b/private/incidentd.te
index c1314a8..e86b3bf 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -193,6 +193,9 @@
get_prop(incidentd, last_boot_reason_prop);
')
+# Allow incident to read the build properties for attestation feature
+get_prop(incidentd, build_attestation_prop);
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 546fab0..45b9fe7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1067,6 +1067,11 @@
ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
+# build props for attestation feature are set by property_service
+ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
diff --git a/private/zygote.te b/private/zygote.te
index 0df84db..9c47468 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -195,6 +195,9 @@
allow zygote same_process_hal_file:file { execute read open getattr map };
+# Allow zygote to read build properties for attestation feature
+get_prop(zygote, build_attestation_prop)
+
# Allow the zygote to access storage properties to check if sdcardfs is enabled.
get_prop(zygote, storage_config_prop);
diff --git a/public/property.te b/public/property.te
index 533c57f..63a2e92 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_attestation_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)