sepolicy: allow vendor system native boot experiments property
Grant system_server and flags_health_check permission to set the
properties that correspond to vendor system native boot experiments.
Bug: 241730607
Test: Build
Merged-In: Idc2334534c2d42a625b451cfce488d7d7a651036
Change-Id: I3e98f1b05058245cad345061d801ecd8de623109
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/prebuilts/api/33.0/private/flags_health_check.te
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 2a9ed78..4eda4a1 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -257,6 +257,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 0f72c7f..8a7947d 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -752,6 +752,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..42fe979 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 805ca7c..18de796 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index cef7bde..64b595d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 4341bc3..c6edbe3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -262,6 +262,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9ccd22d..7726b93 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -753,6 +753,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/public/property.te b/public/property.te
index 865acc2..5812a90 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules