Allow CompOS to read VM config properties We want to allow both the VM and ART to contribute to the VM config (e.g. memory size), so define labels for 2 sets of properties and grant the necessary access. Bug: 274102209 Test: builds Change-Id: Iaca1e0704301c9155f44e1859fc5a36198917568

commit: a45646c024da96ff9b386dfafa6b42155a43ed63 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Wed Mar 22 09:48:30 2023 +0000
committer: Alan Stokes <alanstokes@google.com> Thu Mar 23 15:40:14 2023 +0000
tree: 04614e6ced2aea43b74c3959e48eea8846832da0
parent: 80cd0acd6487a08002de6707182f7a15df809c67 [diff] [blame]
diff --git a/private/composd.te b/private/composd.te
index 96991c6..68dd993 100644
--- a/private/composd.te
+++ b/private/composd.te

@@ -30,9 +30,16 @@
 domain_auto_trans(composd, fd_server_exec, compos_fd_server)
 allow composd compos_fd_server:process signal;
 
+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
 # Read ART's properties
 get_prop(composd, dalvik_config_prop)
 get_prop(composd, device_config_runtime_native_boot_prop)
 
 # We never create any artifact files directly
 neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
commit	a45646c024da96ff9b386dfafa6b42155a43ed63	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Wed Mar 22 09:48:30 2023 +0000
committer	Alan Stokes <alanstokes@google.com>	Thu Mar 23 15:40:14 2023 +0000
tree	04614e6ced2aea43b74c3959e48eea8846832da0
parent	80cd0acd6487a08002de6707182f7a15df809c67 [diff] [blame]