[MTE] allow mtectrl to sync state to property.
Bug: 245624194
Change-Id: If580f3e64a839ee409b58e80300b927f6898c894
diff --git a/private/domain.te b/private/domain.te
index 3d59a27..efd7092 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -630,3 +630,5 @@
sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
+
+neverallow { domain -init } mtectrl:process { dyntransition transition };
diff --git a/private/mtectrl.te b/private/mtectrl.te
index 436dcae..a727b25 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -4,7 +4,12 @@
init_daemon_domain(mtectrl)
+# to set the sys prop to match the bootloader message state.
+set_prop(mtectrl, arm64_memtag_prop)
+
# mtectrl communicates the request to the bootloader via the misc partition.
-allow mtectrl misc_block_device:blk_file w_file_perms;
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow mtectrl misc_block_device:blk_file rw_file_perms;
allow mtectrl block_device:dir r_dir_perms;
read_fstab(mtectrl)
diff --git a/private/property.te b/private/property.te
index 805b70d..66dba1d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -430,6 +430,7 @@
-init
-shell
-system_app
+ -mtectrl
} {
arm64_memtag_prop
gwp_asan_prop