Add selinux permissions for ro.usb.uvc.enabled
This CL the selinux rules for the property ro.usb.uvc.enabled which will
be used to toggle UVC Gadget functionality on the Android Device.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the property can only be read at runtime,
not written to.
Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ffa7e4e..af2f22e 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -43,6 +43,7 @@
timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
+ usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
hal_gatekeeper_service
diff --git a/private/property.te b/private/property.te
index c4351d1..5383300 100644
--- a/private/property.te
+++ b/private/property.te
@@ -681,3 +681,9 @@
domain
-init
} log_file_logger_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} usb_uvc_enabled_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 5611290..f3c8d55 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1501,3 +1501,6 @@
# Adaptive haptics settings property
vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
+
+# UVC Gadget property
+ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
diff --git a/private/system_app.te b/private/system_app.te
index 3b92c0f..9116058 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,6 +177,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Settings app reads ro.usb.uvc.enabled
+get_prop(system_app, usb_uvc_enabled_prop)
+
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index 45bfdbe..c0df9a9 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -14,3 +14,6 @@
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;
allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
+
+# Read access to ro.usb.uvc.enabled
+get_prop(hal_usb_gadget_server, usb_uvc_enabled_prop)
diff --git a/public/property.te b/public/property.te
index 346cd77..0cde294 100644
--- a/public/property.te
+++ b/public/property.te
@@ -187,6 +187,7 @@
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
+system_vendor_config_prop(usb_uvc_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)