Sepolicy: add dynamic_system_prop
and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.
Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1
Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index f07103d..efdbd5d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
device_config_sys_traced_prop
dnsresolver_service
dynamic_android_service
+ dynamic_system_prop
face_service
face_vendor_data_file
fastbootd
diff --git a/private/priv_app.te b/private/priv_app.te
index c5251a9..ab3847b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -162,6 +162,9 @@
# profileable/debuggable.
can_profile_heap(priv_app)
+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/property_contexts b/private/property_contexts
index da09b82..dd08c32 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
diff --git a/private/system_app.te b/private/system_app.te
index d71ef72..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -49,6 +49,8 @@
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/public/property.te b/public/property.te
index a5b5e95..8cb19fb 100644
--- a/public/property.te
+++ b/public/property.te
@@ -43,6 +43,7 @@
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
type dumpstate_prop, property_type, core_property_type;
+type dynamic_system_prop, property_type;
type exported_secure_prop, property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
@@ -423,6 +424,7 @@
-device_config_runtime_native_prop
-device_config_media_native_prop
-device_config_sys_traced_prop
+ -dynamic_system_prop
-gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
diff --git a/public/shell.te b/public/shell.te
index 42a19b0..56196c3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -80,6 +80,8 @@
set_prop(shell, heapprofd_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run