Allow the ART boot oneshot service to configure ART config properties.
Test: See commit 2691baf9d4f8086902d46b2e340a6e5464857b90 in art/
(ag/23125728)
Bug: 281850017
Change-Id: I14baf55d07ad559294bd3b7d9562230e78201d25
(cherry picked from commit 3d7093fd7bc1dffa49db5436081c6f4e49947f26)
Merged-In: I14baf55d07ad559294bd3b7d9562230e78201d25
diff --git a/private/art_boot.te b/private/art_boot.te
new file mode 100644
index 0000000..1b088d6
--- /dev/null
+++ b/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3a49745..79f925f 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
adaptive_haptics_prop
apex_ready_prop
+ art_boot
+ art_boot_exec
artd
bt_device
build_attestation_prop
diff --git a/private/domain.te b/private/domain.te
index 30ceb24..08adeb8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -534,6 +534,10 @@
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;