commit cae2368d2d8626077ad909f0bd16c0880367486e
author Jooyung Han <jooyung@google.com> Fri Sep 02 16:26:27 2022 +0900
committer Jooyung Han <jooyung@google.com> Fri Sep 02 18:11:33 2022 +0900
tree 7ba34aa1d3dca2cbd35020ddd9d52dfb87065a64
parent ba80cd59a7faf34cd13769aa7bf6bf9618a69bd9

Set apex. property as "system_restricted"

Since the property is supposed to be used by vendor-side .rc file as
read-only (especially by vendor apex), it should be "system_restricted".

Also allow vendor_init to read the property.

Bug: 232172382
Test: boot cuttlefish (with vendor apex using the property)
Change-Id: I502388e550e0a3c961a51af2e2cf11335a45b992

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 15f7c4a..90e2eaf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    apex_ready_prop
     artd
     device_config_memory_safety_native_prop
     device_config_vendor_system_native_prop

private/property.te

diff --git a/private/property.te b/private/property.te
index 90db686..27a8e38 100644
--- a/private/property.te
+++ b/private/property.te
@@ -47,7 +47,6 @@
 system_internal_prop(ctl_odsign_prop)
 system_internal_prop(virtualizationservice_prop)
 system_internal_prop(ctl_apex_load_prop)
-system_internal_prop(apex_ready_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -655,6 +654,7 @@
   -coredomain
   -dumpstate
   -apexd
+  -vendor_init
 } apex_ready_prop:file no_rw_file_perms;
 
 neverallow {

private/vendor_init.te

diff --git a/private/vendor_init.te b/private/vendor_init.te
index 70b3ef9..acbd84e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -12,6 +12,9 @@
 # Let vendor_init react to AVF device config changes
 get_prop(vendor_init, device_config_virtualization_framework_native_prop)
 
+# Let vendor_init use apex.<name>.ready to start services from vendor APEX
+get_prop(vendor_init, apex_ready_prop)
+
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type

public/property.te

diff --git a/public/property.te b/public/property.te
index 1688b54..80df624 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
 
 # Properties which can't be written outside system
 system_restricted_prop(aac_drc_prop)
+system_restricted_prop(apex_ready_prop)
 system_restricted_prop(arm64_memtag_prop)
 system_restricted_prop(binder_cache_bluetooth_server_prop)
 system_restricted_prop(binder_cache_system_server_prop)