Declare dalvik.vm. property and dontaudit explicitly
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.
Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 0f8b905..221de96 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -23,3 +23,8 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+
+# Don't audit because we don't configure the compiler through system properties
+# in the VM.
+dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 799ac3c..c36875c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,7 @@
+# Declare ART properties for CompOS
+system_public_prop(dalvik_config_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2f6d698..20994e5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -161,3 +161,7 @@
ro.vndk.version u:object_r:build_prop:s0 exact string
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+
+# ART properties for CompOS
+dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix