Merge "Allow the remote provisioner app to set rkp_only properties"
This commit is contained in:
Seth Moore
Gerrit Code Review
commit
222e99e26f
4 changed files with 11 additions and 7 deletions
|
|
@ -105,9 +105,6 @@ neverallow { domain -init } property_service_version_prop:property_service set;
|
||||||
# Only init can set keystore.boot_level
|
# Only init can set keystore.boot_level
|
||||||
neverallow { domain -init } keystore_listen_prop:property_service set;
|
neverallow { domain -init } keystore_listen_prop:property_service set;
|
||||||
|
|
||||||
# Only init can set the ro.remote_provisioning.* props
|
|
||||||
neverallow { domain -init } remote_prov_prop:property_service set;
|
|
||||||
|
|
||||||
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
||||||
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -615,6 +615,13 @@ neverallow {
|
||||||
# Property types having both attributes won't be accessible from anywhere.
|
# Property types having both attributes won't be accessible from anywhere.
|
||||||
neverallow domain system_and_vendor_property_type:{file property_service} *;
|
neverallow domain system_and_vendor_property_type:{file property_service} *;
|
||||||
|
|
||||||
|
neverallow {
|
||||||
|
# Only init and the remote provisioner can set the ro.remote_provisioning.* props
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-remote_prov_app
|
||||||
|
} remote_prov_prop:property_service set;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
# Only allow init and shell to set rollback_test_prop
|
# Only allow init and shell to set rollback_test_prop
|
||||||
domain
|
domain
|
||||||
|
|
|
||||||
|
|
@ -1256,9 +1256,9 @@ zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
|
||||||
|
|
||||||
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
|
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
|
||||||
|
|
||||||
# Store the URL that the provisioning code should point at.
|
# Allows a device to run without batch attestation keys
|
||||||
ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
|
remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
|
||||||
ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
|
remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
|
||||||
|
|
||||||
# Broadcast boot stages, which keystore listens to
|
# Broadcast boot stages, which keystore listens to
|
||||||
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
|
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ typeattribute remote_prov_app coredomain;
|
||||||
app_domain(remote_prov_app)
|
app_domain(remote_prov_app)
|
||||||
net_domain(remote_prov_app)
|
net_domain(remote_prov_app)
|
||||||
|
|
||||||
get_prop(remote_prov_app, remote_prov_prop)
|
set_prop(remote_prov_app, remote_prov_prop)
|
||||||
# The app needs access to properly build a DeviceInfo package for the verifying server
|
# The app needs access to properly build a DeviceInfo package for the verifying server
|
||||||
get_prop(remote_prov_app, vendor_security_patch_level_prop)
|
get_prop(remote_prov_app, vendor_security_patch_level_prop)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue