Merge "Fix vendor defining macros and neverallows"

2019-12-04 01:12:15 +00:00 · 2019-12-04 01:12:15 +00:00 · 54072d9a73
commit 54072d9a73
parent 4c1e76adcb b4baf73477
2 changed files with 14 additions and 16 deletions
--- a/public/property.te
+++ b/public/property.te
@ -234,6 +234,7 @@ treble_sysprop_neverallow(`

 neverallow { domain -coredomain } {
  system_property_type
+  system_internal_property_type
  -system_restricted_property_type
  -system_public_property_type
 }:file no_rw_file_perms;
@ -243,25 +244,20 @@ neverallow { domain -coredomain } {
  -system_public_property_type
 }:property_service set;

-neverallow { domain -coredomain } {
-  system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
  vendor_property_type
+  vendor_internal_property_type
  -vendor_restricted_property_type
  -vendor_public_property_type
 }:file no_rw_file_perms;

-neverallow coredomain {
+neverallow { coredomain -init } {
  vendor_property_type
  -vendor_public_property_type
 }:property_service set;

-neverallow coredomain {
-  vendor_internal_property_type
-}:file no_rw_file_perms;
-
 ')

 # There is no need to perform ioctl or advisory locking operations on
--- a/public/te_macros
+++ b/public/te_macros
@ -772,7 +772,7 @@ define(`define_prop', `
 define(`system_internal_prop', `
  define_prop($1, system, internal)
  treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
  ')
 ')

@ -785,7 +785,7 @@ define(`system_internal_prop', `
 define(`system_restricted_prop', `
  define_prop($1, system, restricted)
  treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
  ')
 ')

@ -804,7 +804,7 @@ define(`system_public_prop', `define_prop($1, system, public)')
 define(`product_internal_prop', `
  define_prop($1, product, internal)
  treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
  ')
 ')

@ -817,7 +817,7 @@ define(`product_internal_prop', `
 define(`product_restricted_prop', `
  define_prop($1, product, restricted)
  treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
  ')
 ')

@ -836,7 +836,8 @@ define(`product_public_prop', `define_prop($1, product, public)')
 define(`vendor_internal_prop', `
  define_prop($1, vendor, internal)
  treble_sysprop_neverallow(`
-    neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
  ')
 ')

@ -849,7 +850,8 @@ define(`vendor_internal_prop', `
 define(`vendor_restricted_prop', `
  define_prop($1, vendor, restricted)
  treble_sysprop_neverallow(`
-    neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+    neverallow { coredomain -init } $1:property_service set;
  ')
 ')