Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 565384db61039317d4e1a169f980796f763fb36c^! / . / private
commit565384db61039317d4e1a169f980796f763fb36c[log] [tgz]
authorHung-ying Tyan <tyanh@google.com>Fri Apr 26 16:14:52 2019 +0800
committerHung-ying Tyan <tyanh@google.com>Tue Apr 30 18:29:56 2019 +0800
tree774045ca75777a04e89005e9b3af1f6bcb199d8b
parent2798b5fc93505fc30a5b1ae2ba0cc94b8f16aedc [diff]
Sepolicy: add dynamic_system_prop

and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.

Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
      adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1

Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index f07103d..efdbd5d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -47,6 +47,7 @@
     device_config_sys_traced_prop
     dnsresolver_service
     dynamic_android_service
+    dynamic_system_prop
     face_service
     face_vendor_data_file
     fastbootd

diff --git a/private/priv_app.te b/private/priv_app.te
index c5251a9..ab3847b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -162,6 +162,9 @@
 # profileable/debuggable.
 can_profile_heap(priv_app)
 
+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;

diff --git a/private/property_contexts b/private/property_contexts
index da09b82..dd08c32 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -59,6 +59,7 @@
 persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0

diff --git a/private/system_app.te b/private/system_app.te
index d71ef72..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -49,6 +49,8 @@
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
 auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)
 
 # ctl interface
 set_prop(system_app, ctl_default_prop)