Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 9fdb29826fa00e7100b21ce9c30192081bc3dae1^! / .
commit9fdb29826fa00e7100b21ce9c30192081bc3dae1[log] [tgz]
authorSuren Baghdasaryan <surenb@google.com>Wed Sep 07 13:13:47 2022 -0700
committerSuren Baghdasaryan <surenb@google.com>Thu Sep 08 19:35:34 2022 +0000
tree80a7bc7f8ca0407303138801fa141a7d7f72c318
parent6ecd2077bc15c68eb8996b6a037414daf2c723e5 [diff]
Add policies for ro.kernel.watermark_scale_factor property

New ro.kernel.watermark_scale_factor property is used to store the
original value read from /proc/sys/vm/watermark_scale_factor before
extra_free_kbytes.sh changes it. The original value is necessary to
use the same reference point in case the script is invoked multiple
times. The property is set by init the first time script is invoked
and should never be changed afterwards.

Bug: 242837506
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I7760484854a41394a2efda9445cff8cb61587514

diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
index af3088b..d210884 100644
--- a/private/extra_free_kbytes.te
+++ b/private/extra_free_kbytes.te

@@ -1,3 +1,6 @@
 typeattribute extra_free_kbytes coredomain;
 
 init_daemon_domain(extra_free_kbytes)
+
+# Only extra_free_kbytes script is allowed to store these properties
+set_prop(extra_free_kbytes, init_storage_prop)

diff --git a/private/property.te b/private/property.te
index 27a8e38..bb49742 100644
--- a/private/property.te
+++ b/private/property.te

@@ -18,6 +18,7 @@
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_service_status_private_prop)
+system_internal_prop(init_storage_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(keystore_crash_prop)
 system_internal_prop(keystore_listen_prop)
@@ -150,6 +151,12 @@
 neverallow {
   domain
   -init
+  -extra_free_kbytes
+} init_storage_prop:property_service set;
+
+neverallow {
+  domain
+  -init
 } init_svc_debug_prop:property_service set;
 
 neverallow {

diff --git a/private/property_contexts b/private/property_contexts
index b2586f9..c76fe09 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1147,6 +1147,9 @@
 ro.kernel.qemu.            u:object_r:exported_default_prop:s0
 ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
 
+# This property is used by init to store the original value or /proc/sys/vm/watermark_scale_factor
+ro.kernel.watermark_scale_factor          u:object_r:init_storage_prop:s0 exact int
+
 ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
 
 ro.product.vndk.version u:object_r:vndk_prop:s0 exact string