Merge "Allow connectivity namespace to enable native level access flags." am: bbd48ff311 am: c33060a868

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1570024 MUST ONLY BE SUBMITTED BY AUTOMERGER Change-Id: Iee59d02611b508fc9ed26fad8301599e551f3b96
2021-02-08 03:39:39 +00:00 · 2021-02-08 03:39:39 +00:00 · 101dde3fe3
commit 101dde3fe3
parent ccc442e936 c33060a868
6 changed files with 9 additions and 0 deletions
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -21,6 +21,7 @@
    debugfs_kprobes
    debugfs_mm_events_tracing
    device_config_profcollect_native_boot_prop
+    device_config_connectivity_prop
    device_state_service
    dm_user_device
    dmabuf_heap_device
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@ -17,6 +17,7 @@ set_prop(flags_health_check, device_config_storage_native_boot_prop)
 set_prop(flags_health_check, device_config_sys_traced_prop)
 set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)

 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
--- a/private/network_stack.te
+++ b/private/network_stack.te
@ -44,3 +44,6 @@ allow network_stack bpfloader:bpf { map_read map_write prog_run };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 # TODO: Remove this permission when 4.9 kernel is deprecated.
 allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
--- a/private/property.te
+++ b/private/property.te
@ -8,6 +8,7 @@ system_internal_prop(device_config_storage_native_boot_prop)
 system_internal_prop(device_config_sys_traced_prop)
 system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
--- a/private/property_contexts
+++ b/private/property_contexts
@ -221,6 +221,7 @@ device_config.reset_performed                       u:object_r:device_config_res
 persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
 persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
 persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
 persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0
 persist.device_config.media_native.                 u:object_r:device_config_media_native_prop:s0
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -667,6 +667,7 @@ set_prop(system_server, device_config_storage_native_boot_prop)
 set_prop(system_server, device_config_sys_traced_prop)
 set_prop(system_server, device_config_window_manager_native_boot_prop)
 set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)

 # BootReceiver to read ro.boot.bootreason
 get_prop(system_server, bootloader_boot_reason_prop)
@ -1116,6 +1117,7 @@ neverallow {
  -flags_health_check
 } {
  device_config_activity_manager_native_boot_prop
+  device_config_connectivity_prop
  device_config_input_native_boot_prop
  device_config_netd_native_prop
  device_config_runtime_native_boot_prop