Merge "Add apexd_config_prop type"

2021-03-15 13:04:50 +00:00 · 2021-03-15 13:04:50 +00:00 · 49505cdbc1
commit 49505cdbc1
parent 68e7eaf35d 360e0f91c3
5 changed files with 19 additions and 0 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -158,6 +158,9 @@ allow apexd toolbox_exec:file rx_file_perms;
 # apexd uses it to decide whether it needs to keep retrying polling for loop device.
 get_prop(apexd, cold_boot_done_prop)

+# Allow apexd to read per-device configuration properties.
+get_prop(apexd, apexd_config_prop)
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -13,6 +13,7 @@
    apex_info_file
    apex_ota_reserved_file
    apex_scheduling_data_file
+    apexd_config_prop
    app_hibernation_service
    appcompat_data_file
    arm64_memtag_prop
--- a/private/property.te
+++ b/private/property.te
@ -601,3 +601,15 @@ neverallow {
  -init
  -shell
 } rollback_test_prop:property_service set;
+
+# Only init and vendor_init are allowed to set apexd_config_prop
+neverallow { domain -init -vendor_init } apexd_config_prop:property_service set;
+
+# apexd_config properties should only be read by apexd, and dumpstate (to appear in bugreports).
+neverallow {
+  domain
+  -apexd
+  -init
+  -dumpstate
+  -vendor_init
+} apexd_config_prop:file no_rw_file_perms;
--- a/private/property_contexts
+++ b/private/property_contexts
@ -244,6 +244,8 @@ persist.device_config.window_manager_native_boot.   u:object_r:device_config_win
 persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0

 apexd.                  u:object_r:apexd_prop:s0
+apexd.config.dm_delete.timeout           u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.dm_create.timeout           u:object_r:apexd_config_prop:s0 exact uint
 persist.apexd.          u:object_r:apexd_prop:s0

 bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
--- a/public/property.te
+++ b/public/property.te
@ -112,6 +112,7 @@ compatible_property_only(`
 ')

 # Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
 system_vendor_config_prop(aaudio_config_prop)
 system_vendor_config_prop(apk_verity_prop)
 system_vendor_config_prop(audio_config_prop)