commit 56af9a268aa3829a6dd70276ff4cdbb9df027250
author Florian Mayer <fmayer@google.com> Fri May 20 11:25:26 2022 -0700
committer Florian Mayer <fmayer@google.com> Tue Jun 14 10:21:25 2022 -0700
tree c439858ab8941fa9ee12086579e955ce5be2ec64
parent ff418d64994c361b2f27ab27a01821a455cc6d56

Add property for MTE permissive mode.

Bug: 202037138
Change-Id: I272996f124ca8391f9312150d1d8757751fe6acb

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index f15e8f3..36491a6 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,7 @@
   ( new_objects
     device_config_vendor_system_native_prop
     hal_bootctl_service
+    permissive_mte_prop
     system_net_netd_service
     virtual_face_hal_prop
     virtual_fingerprint_hal_prop

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index af50226..2d2dd52 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,9 @@
 # Read access to bq configuration values
 get_prop(domain, bq_config_prop);
 
+# Allow all domains to check whether MTE is set to permissive mode.
+get_prop(domain, permissive_mte_prop);
+
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 2b86612..5a81aa5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -742,6 +742,7 @@
 
 persist.sys.locale       u:object_r:exported_system_prop:s0 exact string
 persist.sys.timezone     u:object_r:exported_system_prop:s0 exact string
+persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
 persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
 
 ro.arch u:object_r:build_prop:s0 exact string

private/su.te

diff --git a/private/su.te b/private/su.te
index 587f449..2496473 100644
--- a/private/su.te
+++ b/private/su.te
@@ -27,4 +27,6 @@
   # Do not audit accesses to keystore2 namespace for the su domain.
   dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
 
+  # Allow root to set MTE permissive mode.
+  set_prop(su, permissive_mte_prop);
 ')

public/property.te

diff --git a/public/property.te b/public/property.te
index 98cabd1..441cd2a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -212,6 +212,7 @@
 system_public_prop(lowpan_prop)
 system_public_prop(nfc_prop)
 system_public_prop(ota_prop)
+system_public_prop(permissive_mte_prop)
 system_public_prop(powerctl_prop)
 system_public_prop(qemu_hw_prop)
 system_public_prop(qemu_sf_lcd_density_prop)