commit 98412ab60466c148370dd4ee4b83d3bb1e0a069c
author Amy Hsu <amyhsu@google.com> Tue May 05 13:20:30 2020 +0800
committer Amy Hsu <amyhsu@google.com> Mon Jun 15 13:56:38 2020 +0800
tree 3ff084a83afbc6e07cd2e618345381114cb99fc5
parent 50f13cfc82afe9107285e6047ecca74cbbb30791

sepolicy: change vendor property to system property

1. Add surfaceflinger_display_prop property context
2. Set context for graphics.display.kernel_idle_timer.enabled
3. Context for system property that is get by surfaceflinger
and set by vendor_init and system_app.

W /system/bin/init: type=1107 audit(0.0:5): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.display.enable_kernel_idle_timer pid=2396 uid=1000 gid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_display_prop:s0 tclass=property_service permissive=0'

Bug:137064289
Test: $ make selinux_policy. Check kernel idle timer works correct.

Change-Id: I77a82b5abfe5a771418dab5d40b404a1cdca4deb

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 1cdfce0..e13889d 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -98,6 +98,7 @@
     soundtrigger_middleware_service
     staged_install_file
     storage_config_prop
+    surfaceflinger_display_prop
     sysfs_dm_verity
     system_adbd_prop
     system_config_service

prebuilts/api/30.0/private/property_contexts

diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 1a5471f..ae0c431 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -263,3 +263,6 @@
 init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
 init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
 init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+# vendor-init-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool

prebuilts/api/30.0/private/surfaceflinger.te

diff --git a/prebuilts/api/30.0/private/surfaceflinger.te b/prebuilts/api/30.0/private/surfaceflinger.te
index cf709df..36c39d6 100644
--- a/prebuilts/api/30.0/private/surfaceflinger.te
+++ b/prebuilts/api/30.0/private/surfaceflinger.te
@@ -58,6 +58,9 @@
 set_prop(surfaceflinger, exported3_system_prop)
 set_prop(surfaceflinger, ctl_bootanim_prop)
 
+# Get properties
+get_prop(surfaceflinger, surfaceflinger_display_prop)
+
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger { app_data_file privapp_data_file }:file { read write };

prebuilts/api/30.0/private/system_app.te

diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..1e91be0 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -57,6 +57,8 @@
 auditallow system_app exported_system_radio_prop:property_service set;
 # Allow Settings to enable Dynamic System Update
 set_prop(system_app, dynamic_system_prop)
+# Allow Settings to config display kernel idle timer
+set_prop(system_app, surfaceflinger_display_prop)
 
 # ctl interface
 set_prop(system_app, ctl_default_prop)

prebuilts/api/30.0/public/property.te

diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 5bc1af2..80918e9 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -168,6 +168,7 @@
 system_public_prop(powerctl_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
+system_public_prop(surfaceflinger_display_prop)
 system_public_prop(system_prop)
 system_public_prop(wifi_log_prop)
 system_public_prop(wifi_prop)
@@ -610,3 +611,11 @@
 } {
   graphics_config_prop
 }:property_service set;
+
+neverallow {
+  -init
+  -vendor_init
+  -system_app
+} {
+  surfaceflinger_display_prop
+}:property_service set;

prebuilts/api/30.0/public/vendor_init.te

diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index 12a360e..04f81cb 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -236,6 +236,7 @@
 set_prop(vendor_init, rebootescrow_hal_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, storage_config_prop)
+set_prop(vendor_init, surfaceflinger_display_prop)
 set_prop(vendor_init, userspace_reboot_config_prop)
 set_prop(vendor_init, vehicle_hal_prop)
 set_prop(vendor_init, vendor_default_prop)

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1cdfce0..e13889d 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -98,6 +98,7 @@
     soundtrigger_middleware_service
     staged_install_file
     storage_config_prop
+    surfaceflinger_display_prop
     sysfs_dm_verity
     system_adbd_prop
     system_config_service

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 1a5471f..ae0c431 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -263,3 +263,6 @@
 init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
 init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
 init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+# vendor-init-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index cf709df..36c39d6 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -58,6 +58,9 @@
 set_prop(surfaceflinger, exported3_system_prop)
 set_prop(surfaceflinger, ctl_bootanim_prop)
 
+# Get properties
+get_prop(surfaceflinger, surfaceflinger_display_prop)
+
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger { app_data_file privapp_data_file }:file { read write };

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 0b77bb3..1e91be0 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,6 +57,8 @@
 auditallow system_app exported_system_radio_prop:property_service set;
 # Allow Settings to enable Dynamic System Update
 set_prop(system_app, dynamic_system_prop)
+# Allow Settings to config display kernel idle timer
+set_prop(system_app, surfaceflinger_display_prop)
 
 # ctl interface
 set_prop(system_app, ctl_default_prop)

public/property.te

diff --git a/public/property.te b/public/property.te
index 5bc1af2..80918e9 100644
--- a/public/property.te
+++ b/public/property.te
@@ -168,6 +168,7 @@
 system_public_prop(powerctl_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
+system_public_prop(surfaceflinger_display_prop)
 system_public_prop(system_prop)
 system_public_prop(wifi_log_prop)
 system_public_prop(wifi_prop)
@@ -610,3 +611,11 @@
 } {
   graphics_config_prop
 }:property_service set;
+
+neverallow {
+  -init
+  -vendor_init
+  -system_app
+} {
+  surfaceflinger_display_prop
+}:property_service set;

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 12a360e..04f81cb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -236,6 +236,7 @@
 set_prop(vendor_init, rebootescrow_hal_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, storage_config_prop)
+set_prop(vendor_init, surfaceflinger_display_prop)
 set_prop(vendor_init, userspace_reboot_config_prop)
 set_prop(vendor_init, vehicle_hal_prop)
 set_prop(vendor_init, vendor_default_prop)