Add a persist.wm.debug property type and associated permissions
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.
Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
diff --git a/private/app.te b/private/app.te
index 856f483..e152591 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,7 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
+get_prop(appdomain, persist_wm_debug_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ee7d51e..369b816 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -50,6 +50,7 @@
locale_service
mdns_service
nearby_service
+ persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
diff --git a/private/platform_app.te b/private/platform_app.te
index 20c9820..b723633 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -40,6 +40,10 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
get_prop(platform_app, radio_cdma_ecm_prop)
+userdebug_or_eng(`
+ set_prop(platform_app, persist_wm_debug_prop)
+')
+neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property_contexts b/private/property_contexts
index a15c78f..8477924 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -102,6 +102,7 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
diff --git a/private/shell.te b/private/shell.te
index 32819ac..ae5ff55 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -227,3 +227,6 @@
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)
+
+# Allow shell to set persist.wm.debug properties
+userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
diff --git a/private/system_server.te b/private/system_server.te
index 682be60..275bb6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -799,6 +799,9 @@
# Read hypervisor capabilities ro.boot.hypervisor.*
get_prop(system_server, hypervisor_prop)
+# Read persist.wm.debug. properties
+get_prop(system_server, persist_wm_debug_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;