Merge "Finer grained permissions for ctl. properties"
am: a5db154ece
Change-Id: I35ee29d0db1a7385a1ae7765aca6f4604a180dc2
This commit is contained in:
Tom Cherry
android-build-merger
commit
176bc442a4
8 changed files with 50 additions and 5 deletions
|
|
@ -102,7 +102,7 @@
|
|||
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
||||
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
||||
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
|
||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
||||
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
||||
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@
|
|||
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
||||
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
||||
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
|
||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
||||
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
||||
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
||||
|
|
|
|||
|
|
@ -17,6 +17,10 @@
|
|||
broadcastradio_service
|
||||
cgroup_bpf
|
||||
crossprofileapps_service
|
||||
ctl_interface_restart_prop
|
||||
ctl_interface_start_prop
|
||||
ctl_interface_stop_prop
|
||||
ctl_sigstop_prop
|
||||
e2fs
|
||||
e2fs_exec
|
||||
exfat
|
||||
|
|
|
|||
|
|
@ -823,7 +823,7 @@
|
|||
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
|
||||
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
|
||||
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
|
||||
(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
|
||||
(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
|
||||
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
|
||||
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
|
||||
|
|
|
|||
|
|
@ -15,6 +15,10 @@
|
|||
bpfloader_exec
|
||||
cgroup_bpf
|
||||
crossprofileapps_service
|
||||
ctl_interface_restart_prop
|
||||
ctl_interface_start_prop
|
||||
ctl_interface_stop_prop
|
||||
ctl_sigstop_prop
|
||||
exfat
|
||||
exported2_config_prop
|
||||
exported2_default_prop
|
||||
|
|
|
|||
|
|
@ -5,5 +5,4 @@ init_daemon_domain(hwservicemanager)
|
|||
add_hwservice(hwservicemanager, hidl_manager_hwservice)
|
||||
add_hwservice(hwservicemanager, hidl_token_hwservice)
|
||||
|
||||
set_prop(hwservicemanager, ctl_default_prop)
|
||||
set_prop(hwservicemanager, ctl_dumpstate_prop)
|
||||
set_prop(hwservicemanager, ctl_interface_start_prop)
|
||||
|
|
|
|||
|
|
@ -104,6 +104,16 @@ ctl.bugreport u:object_r:ctl_bugreport_prop:s0
|
|||
ctl.console u:object_r:ctl_console_prop:s0
|
||||
ctl. u:object_r:ctl_default_prop:s0
|
||||
|
||||
# Don't allow blind access to all services
|
||||
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
|
||||
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
|
||||
ctl.start$ u:object_r:ctl_start_prop:s0
|
||||
ctl.stop$ u:object_r:ctl_stop_prop:s0
|
||||
ctl.restart$ u:object_r:ctl_restart_prop:s0
|
||||
ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
|
||||
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
|
||||
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
|
||||
|
||||
# NFC properties
|
||||
nfc. u:object_r:nfc_prop:s0
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,15 @@ type ctl_console_prop, property_type;
|
|||
type ctl_default_prop, property_type;
|
||||
type ctl_dumpstate_prop, property_type;
|
||||
type ctl_fuse_prop, property_type;
|
||||
type ctl_interface_restart_prop, property_type;
|
||||
type ctl_interface_start_prop, property_type;
|
||||
type ctl_interface_stop_prop, property_type;
|
||||
type ctl_mdnsd_prop, property_type;
|
||||
type ctl_restart_prop, property_type;
|
||||
type ctl_rildaemon_prop, property_type;
|
||||
type ctl_sigstop_prop, property_type;
|
||||
type ctl_start_prop, property_type;
|
||||
type ctl_stop_prop, property_type;
|
||||
type dalvik_prop, property_type, core_property_type;
|
||||
type debuggerd_prop, property_type, core_property_type;
|
||||
type debug_prop, property_type, core_property_type;
|
||||
|
|
@ -123,6 +130,27 @@ neverallow * {
|
|||
-vold_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
||||
# sigstop property is only used for debugging; should only be set by su which is permissive
|
||||
# for userdebug/eng
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vendor_init
|
||||
} ctl_sigstop_prop:property_service set;
|
||||
|
||||
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
||||
# in the audit log
|
||||
dontaudit domain {
|
||||
ctl_bootanim_prop
|
||||
ctl_bugreport_prop
|
||||
ctl_console_prop
|
||||
ctl_default_prop
|
||||
ctl_dumpstate_prop
|
||||
ctl_fuse_prop
|
||||
ctl_mdnsd_prop
|
||||
ctl_rildaemon_prop
|
||||
}:property_service set;
|
||||
|
||||
compatible_property_only(`
|
||||
# Prevent properties from being set
|
||||
neverallow {
|
||||
|
|
|
|||
Loading…
Reference in a new issue