commit ad48d3e9f16c4b4e91053b3aeafe3b5ed3dc1fc3
author Treehugger Robot <treehugger-gerrit@google.com> Fri Sep 17 12:22:57 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Sep 17 12:22:57 2021 +0000
tree d8caf8b715a5e50e0378e31453721723b34af322
parent b804de2943e43463db795fa8ea29466e0c4172cf
parent d3438b0f3c4c2ce0addc1219d4cffea304eba9c1

Merge "Allow composd to run odrefresh"

private/property.te

diff --git a/private/property.te b/private/property.te
index 3ee6650..659d1d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -40,6 +40,7 @@
 system_internal_prop(zygote_wrap_prop)
 system_internal_prop(ctl_mediatranscoding_prop)
 system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
 
 ###
 ### Neverallow rules

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index ba0d557..cd10fe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1233,3 +1233,6 @@
 
 # dck properties
 ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0c09509..3b23449 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,3 +54,11 @@
 
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+  domain
+  -init
+  -virtualizationservice
+} virtualizationservice_prop:property_service set;