Merge "Add sepolicy for gsid properties, and allow system_server to read them."
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6962052..943dbf0 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -54,6 +54,7 @@
gsi_service
gsid
gsid_exec
+ gsid_prop
color_display_service
external_vibrator_service
hal_atrace_hwservice
diff --git a/private/gsid.te b/private/gsid.te
index 0c2e50c..62ac06b 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,7 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
@@ -33,6 +34,8 @@
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+neverallow { domain -gsid -init } gsid_prop:property_service set;
+
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
diff --git a/private/property_contexts b/private/property_contexts
index 8024954..a34a52c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -181,3 +181,6 @@
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+
+gsid. u:object_r:gsid_prop:s0
+ro.gsid. u:object_r:gsid_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7e16f6a..2751b09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -623,6 +623,9 @@
# Read/write the property that enables Test Harness Mode
set_prop(system_server, test_harness_prop)
+# Read gsid.image_running.
+get_prop(system_server, gsid_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/property.te b/public/property.te
index 8883ff8..74c9bc5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -44,6 +44,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type gsid_prop, property_type;
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
@@ -413,6 +414,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ba0941e..76ee7a4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -195,6 +195,7 @@
-bootloader_boot_reason_prop
-last_boot_reason_prop
-apexd_prop
+ -gsid_prop
})
')