diff --git a/private/property_contexts b/private/property_contexts index 340756033..a27b7566f 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -59,6 +59,8 @@ persist.security. u:object_r:system_prop:s0 persist.vendor.overlay. u:object_r:overlay_prop:s0 ro.boot.vendor.overlay. u:object_r:overlay_prop:s0 ro.boottime. u:object_r:boottime_prop:s0 +ro.serialno u:object_r:serialno_prop:s0 +ro.boot.serialno u:object_r:serialno_prop:s0 # Boolean property set by system server upon boot indicating # if device owner is provisioned. diff --git a/public/adbd.te b/public/adbd.te index 675219a61..59ee3e131 100644 --- a/public/adbd.te +++ b/public/adbd.te @@ -55,6 +55,9 @@ set_prop(adbd, ffs_prop) # Access device logging gating property get_prop(adbd, device_logging_prop) +# Read device's serial number from system properties +get_prop(adbd, serialno_prop) + # Run /system/bin/bu allow adbd system_file:file rx_file_perms; diff --git a/public/domain.te b/public/domain.te index c9f7f6f0d..47b3e5a46 100644 --- a/public/domain.te +++ b/public/domain.te @@ -374,6 +374,18 @@ neverallow * default_android_service:service_manager add; neverallow { domain -init } default_prop:property_service set; neverallow { domain -init } mmc_prop:property_service set; +# Do not allow reading device's serial number from system properties except form +# a few whitelisted domains. +neverallow { + domain + -adbd + -dumpstate + -init + -mediadrmserver + -recovery + -system_server +} serialno_prop:file r_file_perms; + neverallow { domain -init diff --git a/public/dumpstate.te b/public/dumpstate.te index 08d24ae5e..ee617e5ff 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -187,6 +187,9 @@ set_prop(dumpstate, dumpstate_prop) # dumpstate_options_prop is used to pass extra command-line args. set_prop(dumpstate, dumpstate_options_prop) +# Read device's serial number from system properties +get_prop(dumpstate, serialno_prop) + # Access to /data/media. # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te index b08664f27..c9e28d775 100644 --- a/public/mediadrmserver.te +++ b/public/mediadrmserver.te @@ -55,6 +55,9 @@ allow mediadrmserver surfaceflinger_service:service_manager find; allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; +# Permit reading device's serial number from system properties +get_prop(mediadrmserver, serialno_prop) + ### ### neverallow rules ### diff --git a/public/property.te b/public/property.te index 731eee518..0bba50d3a 100644 --- a/public/property.te +++ b/public/property.te @@ -36,6 +36,7 @@ type powerctl_prop, property_type, core_property_type; type radio_prop, property_type, core_property_type; type restorecon_prop, property_type, core_property_type; type safemode_prop, property_type; +type serialno_prop, property_type; type shell_prop, property_type, core_property_type; type system_prop, property_type, core_property_type; type system_radio_prop, property_type, core_property_type; diff --git a/public/recovery.te b/public/recovery.te index 32601e39a..bbee92823 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -92,6 +92,9 @@ recovery_only(` # Start/stop adbd via ctl.start adbd set_prop(recovery, ctl_default_prop) + # Read device's serial number from system properties + get_prop(recovery, serialno_prop) + # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; diff --git a/public/system_server.te b/public/system_server.te index 6bbe9913c..bc1dd9f34 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -388,6 +388,9 @@ set_prop(system_server, cppreopt_prop) # Collect metrics on boot time created by init get_prop(system_server, boottime_prop) +# Read device's serial number from system properties +get_prop(system_server, serialno_prop) + # Create a socket for receiving info from wpa. allow system_server wpa_socket:dir rw_dir_perms; allow system_server system_wpa_socket:sock_file create_file_perms;