Add sepolicy for gsid properties, and allow system_server to read them.
Bug: 123777418
Test: manual test
Change-Id: I9f8c721dfd074e638573d85cf1d8045a69c3854e
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6962052..943dbf0 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -54,6 +54,7 @@
gsi_service
gsid
gsid_exec
+ gsid_prop
color_display_service
external_vibrator_service
hal_atrace_hwservice
diff --git a/private/gsid.te b/private/gsid.te
index 0c2e50c..62ac06b 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,7 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
@@ -33,6 +34,8 @@
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+neverallow { domain -gsid -init } gsid_prop:property_service set;
+
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
diff --git a/private/property_contexts b/private/property_contexts
index 8024954..a34a52c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -181,3 +181,6 @@
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+
+gsid. u:object_r:gsid_prop:s0
+ro.gsid. u:object_r:gsid_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7e16f6a..2751b09 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -623,6 +623,9 @@
# Read/write the property that enables Test Harness Mode
set_prop(system_server, test_harness_prop)
+# Read gsid.image_running.
+get_prop(system_server, gsid_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;