Allow shell to read odsign properties.
The shell context can invoke app_process (ART runtime), which in turn
reads odsign_prop to determine whether we determined that the generated
artifacts are valid. Since this was denied until now, app processes
invoked through shell would fall back to JIT Zygote. This is probably
fine, but since fixing the denial is really simple (and not risky), this
option might be preferred over adding it to the bug map.
Bug: 194630189
Test: `adb shell sm` no longer generates a denial
Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index 40b19fd..f5b786d 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -171,6 +171,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow to issue control commands to profcollectd binder service.
diff --git a/private/shell.te b/private/shell.te
index 2f983f2..d2bd17d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -171,6 +171,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow to issue control commands to profcollectd binder service.