From 544a0d5480cfd367b15dc51de5726bbc8a803d7e Mon Sep 17 00:00:00 2001
From: Haibo Huang <hhb@google.com>
Date: Mon, 5 Nov 2018 15:03:16 -0800
Subject: [PATCH] Add new cpu variant related rules to SELinux

I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.

This change set SELinux rules for these properties and files.

For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).

This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.

Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.

Change-Id: I41662493dce30eae6d41bf0985709045c44247d3
---
 private/compat/28.0/28.0.ignore.cil | 2 ++
 private/file_contexts               | 1 +
 public/domain.te                    | 3 +++
 public/file.te                      | 2 ++
 public/property.te                  | 1 +
 public/property_contexts            | 4 ++++
 public/vendor_init.te               | 1 +
 7 files changed, 14 insertions(+)

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 353724b90..9f4f8004b 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,8 @@
     apexd_tmpfs
     biometric_service
     biometric_vendor_data_file
+    cpu_variant_prop
+    dev_cpu_variant
     device_config_boot_count_prop
     device_config_reset_performed_prop
     device_config_flags_health_check_prop
diff --git a/private/file_contexts b/private/file_contexts
index dd957a74e..a7880c0a3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/console		u:object_r:console_device:s0
+/dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/public/domain.te b/public/domain.te
index b788f0d72..09eb3e6cb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -236,6 +236,9 @@ allow domain proc:lnk_file { getattr read };
 # /proc/cpuinfo
 allow domain proc_cpuinfo:file r_file_perms;
 
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
 # jemalloc needs to read /proc/sys/vm/overcommit_memory
 allow domain proc_overcommit_memory:file r_file_perms;
 
diff --git a/public/file.te b/public/file.te
index 9cdd5f4c0..9f14621cb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,6 +183,8 @@ type metadata_file, file_type;
 # Vold files within /metadata
 type vold_metadata_file, file_type;
 
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/property.te b/public/property.te
index 8a1e1fd85..0704b9a00 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@ type bluetooth_prop, property_type;
 type bootloader_boot_reason_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
+type cpu_variant_prop, property_type;
 type ctl_adbd_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_bugreport_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 36357b77c..f2362d57f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -255,6 +255,10 @@ gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
 media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
 persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
 rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
 ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index fe3f87ff5..9aa1194c6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -192,6 +192,7 @@ not_compatible_property(`
 allow vendor_init file_contexts_file:file r_file_perms;
 
 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, cpu_variant_prop)
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_audio_prop)
 set_prop(vendor_init, exported_bluetooth_prop)
-- 
GitLab