Merge "[MTE] Add memtag sysprop sepolicy." am: e0bab54ba6 am: 3eba07e497 am: 654f38ae37
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1542329
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I035a0ab7f24c54624acf203f0fae68660f9dcf9c
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index adb1020..a77ac01 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
adbd_config_prop
apc_service
apex_info_file
+ arm64_memtag_prop
cgroup_desc_api_file
cgroup_v2
ctl_snapuserd_prop
diff --git a/private/property.te b/private/property.te
index 1163a3c..c949a72 100644
--- a/private/property.te
+++ b/private/property.te
@@ -376,6 +376,15 @@
libc_debug_prop
}:property_service set;
+# Allow the shell to set MTE props, so that non-root users with adb shell
+# access can control the settings on their device.
+neverallow {
+ -init
+ -shell
+} {
+ arm64_memtag_prop
+}:property_service set;
+
neverallow {
-init
-system_server
diff --git a/private/property_contexts b/private/property_contexts
index a8754aa..c1aa5e0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -576,6 +576,9 @@
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+# shell-only props for ARM memory tagging (MTE).
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 0e94cd1..73aac1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -168,3 +168,6 @@
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
set_prop(shell, sqlite_log_prop)
+
+# Allow shell to write MTE properties even on user builds.
+set_prop(shell, arm64_memtag_prop)
diff --git a/public/domain.te b/public/domain.te
index df398e6..3801631 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -100,6 +100,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
diff --git a/public/property.te b/public/property.te
index 4afc2a0..32c5c46 100644
--- a/public/property.te
+++ b/public/property.te
@@ -55,6 +55,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)