Allow permissive MTE to be set by non-root users
Found when making the tests for permissive MTE, which are part of the
CTS test suite because I really, really don't want to fork hundreds of
lines of Java glue. But, CTS tests aren't supposed to only run on rooted
devices (even though there's examples of this in the tree already).
I think either way, ideologically, we should allow non-root users to
enable permissive MTE. This would be useful for a person who wants to
dogfood MTE with all apps on, but use a retail build. I can think of at
least a few researchers that would probably find this useful.
Bug: 328793166
Test: adb unroot && adb shell setprop persist.sys.mte.permissive 1
Change-Id: Ie905e23c9600986cb436e1cc7490e28678710696
diff --git a/private/shell.te b/private/shell.te
index 60684f4..0d0f375 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -227,6 +227,7 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+set_prop(shell, permissive_mte_prop)
# Allow shell to read the dm-verity props on user builds.
get_prop(shell, verity_status_prop)
diff --git a/private/su.te b/private/su.te
index 2e0d10a..906c806 100644
--- a/private/su.te
+++ b/private/su.te
@@ -30,7 +30,4 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
- # Allow root to set MTE permissive mode.
- set_prop(su, permissive_mte_prop);
')