Merge "sepolicy for server configurable flags"

private/compat/26.0/26.0.ignore.cil

@@ -36,6 +36,7 @@
     ctl_interface_start_prop
     ctl_interface_stop_prop
     ctl_sigstop_prop
+    device_config_boot_count_prop
     e2fs
     e2fs_exec
     exfat
@@ -65,6 +66,8 @@
     exported3_system_prop
     fastbootd
     fingerprint_vendor_data_file
+    flags_health_check
+    flags_health_check_exec
     fs_bpf
     fwk_stats_hwservice
     hal_atrace_hwservice

private/compat/27.0/27.0.ignore.cil

@@ -34,6 +34,7 @@
     ctl_interface_start_prop
     ctl_interface_stop_prop
     ctl_sigstop_prop
+    device_config_boot_count_prop
     exfat
     exported2_config_prop
     exported2_default_prop
@@ -60,6 +61,8 @@
     exported_vold_prop
     exported_wifi_prop
     fastbootd
+    flags_health_check
+    flags_health_check_exec
     fingerprint_vendor_data_file
     fs_bpf
     fwk_stats_hwservice

private/compat/28.0/28.0.ignore.cil

@@ -18,7 +18,10 @@
     biometric_service
     ;; TODO(b/116344577): remove after the issue is resolved
     buffer_hub_service
+    device_config_boot_count_prop
     fastbootd
+    flags_health_check
+    flags_health_check_exec
     fwk_bufferhub_hwservice
     fwk_stats_hwservice
     color_display_service

private/file_contexts

@@ -281,6 +281,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0

private/flags_health_check.te

+typeattribute flags_health_check coredomain;
+
+init_daemon_domain(flags_health_check)

private/property_contexts

@@ -161,3 +161,6 @@ ro.boot.                u:object_r:exported2_default_prop:s0
 
 # Properties that relate to time / time zone detection behavior.
 persist.time.           u:object_r:time_prop:s0
+
+# Properties that relate to server configurable flags
+persist.device_config.attempted_boot_count        u:object_r:device_config_boot_count_prop:s0

public/flags_heatlh_check.te

+# The flags_health_check command run by init.
+type flags_health_check, domain, coredomain;
+type flags_health_check_exec, system_file_type, exec_type, file_type;
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;

public/property.te

@@ -25,6 +25,7 @@ type dalvik_prop, property_type, core_property_type;
 type debuggerd_prop, property_type, core_property_type;
 type debug_prop, property_type, core_property_type;
 type default_prop, property_type, core_property_type;
+type device_config_boot_count_prop, property_type;
 type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
@@ -387,6 +388,7 @@ compatible_property_only(`
     -ffs_prop
     -fingerprint_prop
     -firstboot_prop
+    -device_config_boot_count_prop
     -hwservicemanager_prop
     -last_boot_reason_prop
     -system_lmk_prop

public/vendor_init.te

@@ -173,6 +173,7 @@ recovery_only(`
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type
+      -device_config_boot_count_prop
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop