Allow CompOS to read VM config properties
We want to allow both the VM and ART to contribute to the VM config
(e.g. memory size), so define labels for 2 sets of properties and
grant the necessary access.
Bug: 274102209
Test: builds
Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..4df0d0b 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,6 +10,8 @@
artd
bt_device
build_attestation_prop
+ composd_vm_art_prop
+ composd_vm_vendor_prop
credential_service
device_as_webcam
device_config_camera_native_prop
diff --git a/private/composd.te b/private/composd.te
index 96991c6..68dd993 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -30,9 +30,16 @@
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
# Read ART's properties
get_prop(composd, dalvik_config_prop)
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 269442d..03b82bd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1479,6 +1479,10 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+# composd properties
+composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint
+composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
+
# properties for the virtual Face HAL
persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
diff --git a/public/property.te b/public/property.te
index 74dd0f5..2f37b93 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
@@ -142,6 +143,7 @@
system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)