commit a782c1b37e03b84a1eab6dd4757db130948d65f8
author Xiang Wang <xwxw@google.com> Wed Dec 18 21:08:16 2024 -0800
committer Xiang Wang <xwxw@google.com> Wed Dec 18 21:08:16 2024 -0800
tree 7bb7a826b934e9dbe323b979841d66375da7e26d
parent 265f36ce0d43ef13bb8676e08de5f27050339652

Restrict HMS props write access to system server only

Bug: 346604998
Flag: EXEMPT sepolicy
Test: n/a
Change-Id: I6e4fd686bec91ee0ad83788df32f39a3e50e2a49

private/property.te

diff --git a/private/property.te b/private/property.te
index 135bcad..8cd35c7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -75,7 +75,7 @@
 system_internal_prop(system_service_enable_prop)
 system_internal_prop(ctl_artd_pre_reboot_prop)
 system_internal_prop(trusty_security_vm_sys_prop)
-
+system_internal_prop(hint_manager_config_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(bionic_linker_16kb_app_compat_prop)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index eaa55b9..7fda763 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1747,6 +1747,13 @@
 # Properties for game manager service
 persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config_prop:s0 exact bool
 
+# Properties for the HintManagerService
+persist.hms.use_hal_headrooms u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_tid u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_affinity u:object_r:hint_manager_config_prop:s0 exact bool
+persist.hms.check_headroom_proc_stat_min_millis u:object_r:hint_manager_config_prop:s0 exact int
+persist.hms.cpu_headroom_tid_max_cnt u:object_r:hint_manager_config_prop:s0 exact int
+
 # Properties for ThreadNetworkService
 threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
 

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index aeeb566..a9fe610 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1649,6 +1649,16 @@
 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)
 
+# Allow system server to write HintManagerService properties
+set_prop(system_server, hint_manager_config_prop)
+neverallow {
+  domain
+  -init
+  -vendor_init
+  -system_server
+  userdebug_or_eng(`-shell')
+} hint_manager_config_prop:property_service set;
+
 # ThreadNetworkService reads Thread Network properties
 get_prop(system_server, threadnetwork_config_prop)