init: allow vendor init to action on any vendor or odm property
Partial revert of "init: if vendor_init can read a property, let it be
a trigger too" (b35f827c97).
We made a mistake when we allowed vendor init to action on any vendor
or odm property, since when a new SELinux label is created for a
vendor property, vendor_init does not automatically get read
permissions for it.
Recently, we tried to use read permissions instead of the built-in
list in init, but that broke due to the above mistaken. Since we have
already launched with these permissions as is, we must restore them.
Bug: 118457755
Test: no denials for vendor init actionable properties on crosshatch
Change-Id: I7a9a560c9a54a177c6b83d28309e2f288f05d400
This commit is contained in:
Tom Cherry
parent
dd85c74655
commit
fa79ae87f1
1 changed files with 12 additions and 0 deletions
|
|
@ -40,6 +40,18 @@ bool IsActionableProperty(Subcontext* subcontext, const std::string& prop_name)
|
|||
return true;
|
||||
}
|
||||
|
||||
static constexpr const char* kPartnerPrefixes[] = {
|
||||
"init.svc.vendor.", "ro.vendor.", "persist.vendor.",
|
||||
"vendor.", "init.svc.odm.", "ro.odm.",
|
||||
"persist.odm.", "odm.", "ro.boot.",
|
||||
};
|
||||
|
||||
for (const auto& prefix : kPartnerPrefixes) {
|
||||
if (android::base::StartsWith(prop_name, prefix)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return CanReadProperty(subcontext->context(), prop_name);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue