Revert "Revert "Define sepolicy for ro.product.vndk.version""
This reverts commit f536a60407e39cc23b36dea54e2db1e48cfe769f.
Reason for revert: Resubmit the CL with the fix in vendor_init.te
Bug: 144534640
Test: lunch sdk-userdebug; m sepolicy_tests
Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 15746a2..51e7b5c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -199,6 +199,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fa8d9fe..a8d64bd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -177,6 +177,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222fa7b..de62740 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -151,5 +151,6 @@
vendor_misc_writer
vendor_misc_writer_exec
vendor_task_profiles_file
+ vndk_prop
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 03b987e..fe622bb 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -62,4 +62,5 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vndk_prop
virtual_ab_prop))
diff --git a/public/domain.te b/public/domain.te
index e50ef75..4ae6c9a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,6 +101,7 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
@@ -509,6 +510,7 @@
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
neverallow { domain -init } default_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 50844fb..188178a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -66,6 +66,7 @@
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
diff --git a/public/property_contexts b/public/property_contexts
index c5b80cf..7e49e9c 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -385,6 +385,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a756dc1..8230957 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -224,6 +224,7 @@
-module_sdkext_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
+ -vndk_prop
})
')