Merge "Allow vendor_init without compatible_property to write most properties" am: 873d6ad6fa
am: d9957e5439
am: 4f809e771e
Change-Id: I5615b53ea29de37cfc3fae897d56fe967f76600c
This commit is contained in:
commit
590dda5175
2 changed files with 17 additions and 2 deletions
|
@ -506,10 +506,12 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
|
|||
|
||||
# Require that domains explicitly label unknown properties, and do not allow
|
||||
# anyone but init to modify unknown properties.
|
||||
neverallow { domain -init } default_prop:property_service set;
|
||||
neverallow { domain -init } mmc_prop:property_service set;
|
||||
neverallow { domain -init -vendor_init } default_prop:property_service set;
|
||||
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
|
||||
|
||||
compatible_property_only(`
|
||||
neverallow { domain -init } default_prop:property_service set;
|
||||
neverallow { domain -init } mmc_prop:property_service set;
|
||||
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
|
||||
neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
|
||||
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
|
||||
|
|
|
@ -218,6 +218,19 @@ allow vendor_init serialno_prop:file { getattr open read };
|
|||
# Vendor init can perform operations on trusted and security Extended Attributes
|
||||
allow vendor_init self:global_capability_class_set sys_admin;
|
||||
|
||||
not_compatible_property(`
|
||||
set_prop(vendor_init, {
|
||||
property_type
|
||||
-restorecon_prop
|
||||
-netd_stable_secret_prop
|
||||
-firstboot_prop
|
||||
-pm_prop
|
||||
-system_boot_reason_prop
|
||||
-bootloader_boot_reason_prop
|
||||
-last_boot_reason_prop
|
||||
})
|
||||
')
|
||||
|
||||
set_prop(vendor_init, debug_prop)
|
||||
set_prop(vendor_init, exported_config_prop)
|
||||
set_prop(vendor_init, exported_dalvik_prop)
|
||||
|
|
Loading…
Reference in a new issue