Sepolicy: add dynamic_system_prop

and allow shell and system_app (Settings) to set it to enable Dynamic System Update. Also allow priv_app (user of the API) to read it. Bug: 119647479 Bug: 129060539 Test: run the following command on crosshatch-user: adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1 Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8 Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8

Sepolicy: add dynamic_system_prop
and allow shell and system_app (Settings) to set it to enable Dynamic System Update. Also allow priv_app (user of the API) to read it. Bug: 119647479 Bug: 129060539 Test: run the following command on crosshatch-user: adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1 Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8 Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
dea144c1 · Hung-ying Tyan · 5f30c238 · dea144c1 · dea144c1 · dea144c1
Commit dea144c1 authored 5 years ago by Hung-ying Tyan
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -46,6 +46,7 @@
    device_config_service
    dnsresolver_service
    dynamic_system_service
+    dynamic_system_prop
    face_service
    face_vendor_data_file
    fastbootd

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -162,6 +162,9 @@ allow priv_app incidentd:fifo_file { read write };
 # profileable/debuggable.
 can_profile_heap(priv_app)

+# Allow priv_apps to check whether Dynamic System Update is enabled
+get_prop(priv_app, dynamic_system_prop)
+
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;

--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@ persist.mmc.            u:object_r:mmc_prop:s0
 persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -49,6 +49,8 @@ userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
 auditallow system_app exported_system_radio_prop:property_service set;
+# Allow Settings to enable Dynamic System Update
+set_prop(system_app, dynamic_system_prop)

 # ctl interface
 set_prop(system_app, ctl_default_prop)

--- a/public/property.te
+++ b/public/property.te
@@ -42,6 +42,7 @@ type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
 type dumpstate_prop, property_type, core_property_type;
+type dynamic_system_prop, property_type;
 type exported_secure_prop, property_type;
 type ffs_prop, property_type, core_property_type;
 type fingerprint_prop, property_type, core_property_type;
@@ -421,6 +422,7 @@ compatible_property_only(`
    -device_config_runtime_native_boot_prop
    -device_config_runtime_native_prop
    -device_config_media_native_prop
+    -dynamic_system_prop
    -gsid_prop
    -heapprofd_enabled_prop
    -heapprofd_prop

--- a/public/shell.te
+++ b/public/shell.te
@@ -80,6 +80,8 @@ userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
 set_prop(shell, heapprofd_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)

 userdebug_or_eng(`
  # "systrace --boot" support - allow boottrace service to run