Merge "Finer grained permissions for ctl. properties"
am: a5db154ece
Change-Id: I35ee29d0db1a7385a1ae7765aca6f4604a180dc2
This commit is contained in:
Tom Cherry
android-build-merger
commit
176bc442a4
8 changed files with 50 additions and 5 deletions
|
|
@ -102,7 +102,7 @@
|
||||||
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
||||||
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
||||||
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
||||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
|
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||||
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
||||||
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
||||||
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
||||||
|
|
|
||||||
|
|
@ -118,7 +118,7 @@
|
||||||
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
|
||||||
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
|
||||||
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
|
||||||
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
|
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||||
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
|
||||||
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
|
||||||
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,10 @@
|
||||||
broadcastradio_service
|
broadcastradio_service
|
||||||
cgroup_bpf
|
cgroup_bpf
|
||||||
crossprofileapps_service
|
crossprofileapps_service
|
||||||
|
ctl_interface_restart_prop
|
||||||
|
ctl_interface_start_prop
|
||||||
|
ctl_interface_stop_prop
|
||||||
|
ctl_sigstop_prop
|
||||||
e2fs
|
e2fs
|
||||||
e2fs_exec
|
e2fs_exec
|
||||||
exfat
|
exfat
|
||||||
|
|
|
||||||
|
|
@ -823,7 +823,7 @@
|
||||||
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
|
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
|
||||||
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
|
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
|
||||||
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
|
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
|
||||||
(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
|
(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
|
||||||
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
|
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
|
||||||
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
|
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
|
||||||
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
|
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,10 @@
|
||||||
bpfloader_exec
|
bpfloader_exec
|
||||||
cgroup_bpf
|
cgroup_bpf
|
||||||
crossprofileapps_service
|
crossprofileapps_service
|
||||||
|
ctl_interface_restart_prop
|
||||||
|
ctl_interface_start_prop
|
||||||
|
ctl_interface_stop_prop
|
||||||
|
ctl_sigstop_prop
|
||||||
exfat
|
exfat
|
||||||
exported2_config_prop
|
exported2_config_prop
|
||||||
exported2_default_prop
|
exported2_default_prop
|
||||||
|
|
|
||||||
|
|
@ -5,5 +5,4 @@ init_daemon_domain(hwservicemanager)
|
||||||
add_hwservice(hwservicemanager, hidl_manager_hwservice)
|
add_hwservice(hwservicemanager, hidl_manager_hwservice)
|
||||||
add_hwservice(hwservicemanager, hidl_token_hwservice)
|
add_hwservice(hwservicemanager, hidl_token_hwservice)
|
||||||
|
|
||||||
set_prop(hwservicemanager, ctl_default_prop)
|
set_prop(hwservicemanager, ctl_interface_start_prop)
|
||||||
set_prop(hwservicemanager, ctl_dumpstate_prop)
|
|
||||||
|
|
|
||||||
|
|
@ -104,6 +104,16 @@ ctl.bugreport u:object_r:ctl_bugreport_prop:s0
|
||||||
ctl.console u:object_r:ctl_console_prop:s0
|
ctl.console u:object_r:ctl_console_prop:s0
|
||||||
ctl. u:object_r:ctl_default_prop:s0
|
ctl. u:object_r:ctl_default_prop:s0
|
||||||
|
|
||||||
|
# Don't allow blind access to all services
|
||||||
|
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
|
||||||
|
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
|
||||||
|
ctl.start$ u:object_r:ctl_start_prop:s0
|
||||||
|
ctl.stop$ u:object_r:ctl_stop_prop:s0
|
||||||
|
ctl.restart$ u:object_r:ctl_restart_prop:s0
|
||||||
|
ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
|
||||||
|
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
|
||||||
|
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
|
||||||
|
|
||||||
# NFC properties
|
# NFC properties
|
||||||
nfc. u:object_r:nfc_prop:s0
|
nfc. u:object_r:nfc_prop:s0
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,8 +11,15 @@ type ctl_console_prop, property_type;
|
||||||
type ctl_default_prop, property_type;
|
type ctl_default_prop, property_type;
|
||||||
type ctl_dumpstate_prop, property_type;
|
type ctl_dumpstate_prop, property_type;
|
||||||
type ctl_fuse_prop, property_type;
|
type ctl_fuse_prop, property_type;
|
||||||
|
type ctl_interface_restart_prop, property_type;
|
||||||
|
type ctl_interface_start_prop, property_type;
|
||||||
|
type ctl_interface_stop_prop, property_type;
|
||||||
type ctl_mdnsd_prop, property_type;
|
type ctl_mdnsd_prop, property_type;
|
||||||
|
type ctl_restart_prop, property_type;
|
||||||
type ctl_rildaemon_prop, property_type;
|
type ctl_rildaemon_prop, property_type;
|
||||||
|
type ctl_sigstop_prop, property_type;
|
||||||
|
type ctl_start_prop, property_type;
|
||||||
|
type ctl_stop_prop, property_type;
|
||||||
type dalvik_prop, property_type, core_property_type;
|
type dalvik_prop, property_type, core_property_type;
|
||||||
type debuggerd_prop, property_type, core_property_type;
|
type debuggerd_prop, property_type, core_property_type;
|
||||||
type debug_prop, property_type, core_property_type;
|
type debug_prop, property_type, core_property_type;
|
||||||
|
|
@ -123,6 +130,27 @@ neverallow * {
|
||||||
-vold_prop
|
-vold_prop
|
||||||
}:file no_rw_file_perms;
|
}:file no_rw_file_perms;
|
||||||
|
|
||||||
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
||||||
|
# for userdebug/eng
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-vendor_init
|
||||||
|
} ctl_sigstop_prop:property_service set;
|
||||||
|
|
||||||
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
||||||
|
# in the audit log
|
||||||
|
dontaudit domain {
|
||||||
|
ctl_bootanim_prop
|
||||||
|
ctl_bugreport_prop
|
||||||
|
ctl_console_prop
|
||||||
|
ctl_default_prop
|
||||||
|
ctl_dumpstate_prop
|
||||||
|
ctl_fuse_prop
|
||||||
|
ctl_mdnsd_prop
|
||||||
|
ctl_rildaemon_prop
|
||||||
|
}:property_service set;
|
||||||
|
|
||||||
compatible_property_only(`
|
compatible_property_only(`
|
||||||
# Prevent properties from being set
|
# Prevent properties from being set
|
||||||
neverallow {
|
neverallow {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue