commit 8cd32cd93ef9624280ba23f5a1f3aacbe9b25c0a
author Mitch Phillips <mitchp@google.com> Tue Mar 22 15:59:57 2022 -0700
committer Mitch Phillips <mitchp@google.com> Tue Apr 12 13:20:05 2022 -0700
tree e249c33d8c58a2185c7c0cd9d0208b4e5463cab3
parent e82248bcb0a62e9406dec87d0d9c8dc863bd0aff

[GWP-ASan] Add sysprop, allow shell and system apps to set it.

Bug: 219651032
Test: atest bionic-unit-tests

Change-Id: Ic4804ce0e4f3b6ba8eb8d82aca11b400b45c03dc

private/compat/32.0/32.0.ignore.cil

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 3547ebb..6f3049b 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -26,6 +26,7 @@
     extra_free_kbytes_exec
     fs_bpf_vendor
     gesture_prop
+    gwp_asan_prop
     hal_contexthub_service
     hal_camera_service
     hal_evs_service

private/property.te

diff --git a/private/property.te b/private/property.te
index 3f02c83..2f7d512 100644
--- a/private/property.te
+++ b/private/property.te
@@ -410,9 +410,9 @@
   libc_debug_prop
 }:property_service set;
 
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-# Allow system apps to set MTE props, so Developer Options can set them.
+# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
+# shell access can control the settings on their device. Allow system apps to
+# set MTE props, so Developer Options can set them.
 neverallow {
   domain
   -init
@@ -420,6 +420,7 @@
   -system_app
 } {
   arm64_memtag_prop
+  gwp_asan_prop
 }:property_service set;
 
 neverallow {

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..e81ceb1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -719,6 +719,10 @@
 libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
 libc.debug.hooks.enable   u:object_r:libc_debug_prop:s0 exact string
 
+# GWP-ASan props. Separate from other libc.debug.* props, because we want users
+# to be able to set them from `adb shell` even on release devices.
+libc.debug.gwp_asan.  u:object_r:gwp_asan_prop:s0 prefix string
+
 # shell-only props for ARM memory tagging (MTE).
 arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
 persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index ae5ff55..2ddd7bc 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -230,3 +230,6 @@
 
 # Allow shell to set persist.wm.debug properties
 userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
+
+# Allow shell to write GWP-ASan properties even on user builds.
+set_prop(shell, gwp_asan_prop)