Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f3fb64a8636226f3a8da2e5b8616f773b6319ea2^! / . / private
commitf3fb64a8636226f3a8da2e5b8616f773b6319ea2[log] [tgz]
authorKalesh Singh <kaleshsingh@google.com>Wed Aug 28 16:53:37 2024 +0000
committerKalesh Singh <kaleshsingh@google.com>Thu Aug 29 15:59:33 2024 +0000
treebbbde2c03a8187e8b4841b988f7e2392269e7094
parent686ddaf5bd9a3066c5af0f4f067a885a6a5e8319 [diff]
sepolicy: add rules for bionic.linker.16kb.app_compat.enabled

This property serves as the global toggle for 16kb app compat.

It must be world readable since the linker is executed in the context
of the process requesting the dynamic linking.

Currently, only init and root shell are allowed to set the property.
This may be modified later to also allow toggling from the settings
app.

Bug: 339709616
Test: m
Change-Id: Ie0fd4132477460d88c3cf2f09aa59084f54cfea7
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

diff --git a/private/domain.te b/private/domain.te
index 94f96d9..0d2a1d3 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -342,6 +342,10 @@
 allow domain sysfs_pgsize_migration:dir search;
 allow domain sysfs_pgsize_migration:file r_file_perms;
 
+# Linker is executed from the context of the process requesting the dynamic linking,
+# so this prop must be "world-readable".
+get_prop(domain, bionic_linker_16kb_app_compat_prop)
+
 # Allow everyone to read media server-configurable flags, so that libstagefright can be
 # configured using server-configurable flags
 get_prop(domain, device_config_media_native_prop)

diff --git a/private/init.te b/private/init.te
index 8ab1aab..73ab049 100644
--- a/private/init.te
+++ b/private/init.te

@@ -82,6 +82,9 @@
 set_prop(init, init_perf_lsm_hooks_prop)
 set_prop(init, vts_status_prop)
 
+# Allow init to set 16kb app compatibility props
+set_prop(init, bionic_linker_16kb_app_compat_prop)
+
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
 

diff --git a/private/property.te b/private/property.te
index 1f94608..7c2d6d1 100644
--- a/private/property.te
+++ b/private/property.te

@@ -71,6 +71,7 @@
 
 
 # Properties which can't be written outside system
+system_restricted_prop(bionic_linker_16kb_app_compat_prop)
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(fstype_prop)
 system_restricted_prop(log_file_logger_prop)
@@ -834,3 +835,9 @@
   -init
   -vendor_init
 } pm_archiving_enabled_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  userdebug_or_eng(`-su')
+} bionic_linker_16kb_app_compat_prop:property_service set;

diff --git a/private/property_contexts b/private/property_contexts
index f631f8f..bfe2a52 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1267,6 +1267,8 @@
 ro.bionic.arch            u:object_r:cpu_variant_prop:s0 exact string
 ro.bionic.cpu_variant     u:object_r:cpu_variant_prop:s0 exact string
 
+bionic.linker.16kb.app_compat.enabled u:object_r:bionic_linker_16kb_app_compat_prop:s0 exact bool
+
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 
 ro.boot.fake_battery         u:object_r:exported_default_prop:s0 exact int