platform_system_sepolicy/property.te

40 lines
1.8 KiB
Text
Raw Normal View History

type default_prop, property_type, core_property_type;
type shell_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type dumpstate_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type dhcp_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type ffs_prop, property_type, core_property_type;
type radio_prop, property_type, core_property_type;
type net_radio_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
type ctl_mdnsd_prop, property_type;
type ctl_rildaemon_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
type audio_prop, property_type, core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
type log_prop, property_type, log_property_type;
type logd_prop, property_type, core_property_type;
type mmc_prop, property_type;
type restorecon_prop, property_type, core_property_type;
type security_prop, property_type, core_property_type;
type bluetooth_prop, property_type, core_property_type;
type pan_result_prop, property_type, core_property_type;
type powerctl_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
type dalvik_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
type device_logging_prop, property_type;
type safemode_prop, property_type;
allow property_type tmpfs:filesystem associate;