Merge "Add sepolicy for microdroid_config_prop sysprops" am: ddc29b8d79

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2318890 Change-Id: I10cd67f604e3f9e1246cc51130988d906d037426 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-11-29 11:19:13 +00:00 · 2022-11-29 11:19:13 +00:00 · 2039173556
commit 2039173556
parent 50eb2db0a1 ddc29b8d79
4 changed files with 20 additions and 0 deletions
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@ -82,6 +82,9 @@ get_prop(microdroid_manager, microdroid_manager_zipfuse_prop)
 # Allow microdroid_manager to pass the roothash to apkdmverity
 set_prop(microdroid_manager, microdroid_manager_roothash_prop)

+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)

--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@ -39,3 +39,16 @@ neverallow {
  domain
  -init
 } apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:property_service set;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:file no_rw_file_perms;
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@ -121,6 +121,9 @@ apex_config.done u:object_r:apex_config_prop:s0 exact bool
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
 microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool

+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+microdroid_manager.config_done u:object_r:microdroid_config_prop:s0 exact bool
+
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.dev.root   u:object_r:dev_mnt_prop:s0 exact string
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@ -40,6 +40,7 @@ type log_prop, property_type;
 type log_tag_prop, property_type;
 type microdroid_manager_roothash_prop, property_type;
 type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
 type property_service_version_prop, property_type;
 type shell_prop, property_type;
 type timezone_prop, property_type;