Add missing properties to microdroid am: deaa8b9f4a

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2106044

Change-Id: I847ae3fac14c423243f9e113c1ba1a44bd294aa5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Inseob Kim 2023-06-09 05:01:04 +00:00 committed by Automerger Merge Worker
commit 20a9d569d2
3 changed files with 29 additions and 0 deletions

View file

@ -252,6 +252,10 @@ allow domain crash_dump:process sigchld;
# Properties that microdroid doesn't have but some still want to read.
dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
# Allow all processes to "read" non_existing_prop to suppress libc's access denial logs.
# dontaudit is not enough; it's still fine because they can't be written, by neverallow rules
get_prop(domain, non_existing_prop)
###
### neverallow rules
###

View file

@ -5,6 +5,7 @@ system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(non_existing_prop)
typeattribute dalvik_config_prop dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
@ -61,3 +62,8 @@ neverallow {
-microdroid_manager
-crash_dump
} {microdroid_config_prop}:file no_rw_file_perms;
neverallow {
domain
-init
} non_existing_prop:property_service set;

View file

@ -145,6 +145,7 @@ libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
persist.arm64.memtag. u:object_r:non_existing_prop:s0 prefix string
persist.sys.timezone u:object_r:timezone_prop:s0 exact string
@ -171,3 +172,21 @@ dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_p
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
# These non_existing_prop properties are unused in microdroid, but added here to suppress libc's
# access denial logs.
libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
persist.libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
persist.adb.tls_server.enable u:object_r:non_existing_prop:s0 exact bool
persist.adb.watchdog.timeout_secs u:object_r:non_existing_prop:s0 exact int
persist.adb.watchdog u:object_r:non_existing_prop:s0 exact bool
persist.device_config. u:object_r:non_existing_prop:s0 prefix string
persist.sys.test_harness u:object_r:non_existing_prop:s0 exact bool
ro.arch u:object_r:non_existing_prop:s0 exact string
ro.boot.vsock_tombstone_port u:object_r:non_existing_prop:s0 exact int
ro.product.device u:object_r:non_existing_prop:s0 exact string
ro.product.model u:object_r:non_existing_prop:s0 exact string
ro.product.name u:object_r:non_existing_prop:s0 exact string
ro.product.vndk.version u:object_r:non_existing_prop:s0 exact string
ro.secure u:object_r:non_existing_prop:s0 exact bool
ro.serialno u:object_r:non_existing_prop:s0 exact string