SELinux configuration for memory safety device configs.
These will get read by system libraries in arbitrary processes, so it's
a public property with read access by `domain`.
Bug: 235129567
Change-Id: I1ab880626e4efa2affe90165ce94a404b918849d
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 36491a6..305116c 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
hal_bootctl_service
permissive_mte_prop
diff --git a/private/domain.te b/private/domain.te
index 2d2dd52..81e781e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -80,6 +80,8 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+get_prop(domain, device_config_memory_safety_native_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 54ecd45..cef7bde 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -25,6 +25,7 @@
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/property_contexts b/private/property_contexts
index 5a81aa5..8d33c24 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -259,6 +259,7 @@
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
diff --git a/private/system_server.te b/private/system_server.te
index 81cde09..c3be29c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -762,6 +762,7 @@
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties