Add contexts for init.svc.* props
To remove bad context names "exported*_prop". Other init.svc.* properties explicitly become system internal prop. Bug: 155844385 Test: boot and see no denials Change-Id: I7a3b4103a4cea77035a6e831e3b6a49a45f15a35
This commit is contained in:
Inseob Kim
parent
5f1fe1eaac
commit
15e5e0a470
7 changed files with 31 additions and 13 deletions
|
|
@ -100,6 +100,8 @@
|
|||
heapprofd_socket
|
||||
incident_helper
|
||||
incident_helper_exec
|
||||
init_service_status_private_prop
|
||||
init_service_status_prop
|
||||
iorapd
|
||||
iorapd_data_file
|
||||
iorapd_exec
|
||||
|
|
|
|||
|
|
@ -1285,7 +1285,7 @@
|
|||
(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
|
||||
(typeattributeset default_android_service_30_0 (default_android_service))
|
||||
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
|
||||
(typeattributeset default_prop_30_0 (default_prop))
|
||||
(typeattributeset default_prop_30_0 (default_prop init_service_status_private_prop))
|
||||
(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
|
||||
(typeattributeset device_30_0 (device))
|
||||
(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
|
||||
|
|
@ -1345,6 +1345,7 @@
|
|||
( exported2_default_prop
|
||||
aac_drc_prop
|
||||
build_prop
|
||||
init_service_status_prop
|
||||
libc_debug_prop))
|
||||
(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
|
||||
(typeattributeset exported2_system_prop_30_0
|
||||
|
|
|
|||
|
|
@ -1,11 +1,12 @@
|
|||
get_prop(coredomain, pm_prop)
|
||||
get_prop(coredomain, camera_config_prop)
|
||||
get_prop(coredomain, dalvik_runtime_prop)
|
||||
get_prop(coredomain, exported_pm_prop)
|
||||
get_prop(coredomain, ffs_config_prop)
|
||||
get_prop(coredomain, lmkd_config_prop)
|
||||
get_prop(coredomain, camera_config_prop)
|
||||
get_prop(coredomain, hdmi_config_prop)
|
||||
get_prop(coredomain, dalvik_runtime_prop)
|
||||
|
||||
get_prop(coredomain, init_service_status_private_prop)
|
||||
get_prop(coredomain, init_service_status_prop)
|
||||
get_prop(coredomain, lmkd_config_prop)
|
||||
get_prop(coredomain, pm_prop)
|
||||
get_prop(coredomain, usb_config_prop)
|
||||
get_prop(coredomain, usb_control_prop)
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ system_internal_prop(device_config_configuration_prop)
|
|||
system_internal_prop(fastbootd_protocol_prop)
|
||||
system_internal_prop(gsid_prop)
|
||||
system_internal_prop(init_perf_lsm_hooks_prop)
|
||||
system_internal_prop(init_service_status_private_prop)
|
||||
system_internal_prop(init_svc_debug_prop)
|
||||
system_internal_prop(last_boot_reason_prop)
|
||||
system_internal_prop(netd_stable_secret_prop)
|
||||
|
|
@ -385,3 +386,10 @@ neverallow {
|
|||
provisioned_prop
|
||||
retaildemo_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
-init
|
||||
} {
|
||||
init_service_status_private_prop
|
||||
init_service_status_prop
|
||||
}:property_service set;
|
||||
|
|
|
|||
|
|
@ -542,13 +542,17 @@ dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
|
|||
|
||||
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
|
||||
|
||||
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.console u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.surfaceflinger u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
|
||||
init.svc.zygote u:object_r:exported2_default_prop:s0 exact string
|
||||
# default contexts only accessible by coredomain
|
||||
init.svc. u:object_r:init_service_status_private_prop:s0 exact string
|
||||
|
||||
# vendor-init-readable init service props
|
||||
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.console u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
|
||||
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
|
||||
|
||||
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
|
||||
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ system_restricted_prop(boot_status_prop)
|
|||
system_restricted_prop(bq_config_prop)
|
||||
system_restricted_prop(build_prop)
|
||||
system_restricted_prop(fingerprint_prop)
|
||||
system_restricted_prop(init_service_status_prop)
|
||||
system_restricted_prop(libc_debug_prop)
|
||||
system_restricted_prop(module_sdkextensions_prop)
|
||||
system_restricted_prop(nnapi_ext_deny_product_prop)
|
||||
|
|
|
|||
|
|
@ -245,6 +245,7 @@ set_prop(vendor_init, zram_control_prop)
|
|||
get_prop(vendor_init, boot_status_prop)
|
||||
get_prop(vendor_init, exported2_radio_prop)
|
||||
get_prop(vendor_init, exported3_system_prop)
|
||||
get_prop(vendor_init, init_service_status_prop)
|
||||
get_prop(vendor_init, ota_prop)
|
||||
get_prop(vendor_init, provisioned_prop)
|
||||
get_prop(vendor_init, retaildemo_prop)
|
||||
|
|
|
|||
Loading…
Reference in a new issue