Define sepolicy for ro.product.vndk.version

Define a new property_context vndk_prop for ro.product.vndk.version. It is set by init process but public to all modules. Bug: 144534640 Test: check if ro.product.vndk.version is set correctly. Change-Id: If739d4e25de93d9ed2ee2520408e07a8c87d46fe
2020-01-06 10:42:14 +09:00 · 2020-01-06 10:42:14 +09:00 · 59e3983d1f
commit 59e3983d1f
parent 6570d6d3c7
7 changed files with 8 additions and 0 deletions
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -199,6 +199,7 @@
    vendor_apex_file
    vendor_init
    vendor_shell
+    vndk_prop
    vold_metadata_file
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -177,6 +177,7 @@
    vendor_init
    vendor_security_patch_level_prop
    vendor_shell
+    vndk_prop
    vold_metadata_file
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -151,5 +151,6 @@
    vendor_misc_writer
    vendor_misc_writer_exec
    vendor_task_profiles_file
+    vndk_prop
    vrflinger_vsync_service
    watchdogd_tmpfs))
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -62,4 +62,5 @@
    vendor_boringssl_self_test
    vendor_install_recovery
    vendor_install_recovery_exec
+    vndk_prop
    virtual_ab_prop))
--- a/public/domain.te
+++ b/public/domain.te
@ -101,6 +101,7 @@ get_prop(domain, exported_system_prop)
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
 get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)

 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.
@ -509,6 +510,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 # anyone but init to modify unknown properties.
 neverallow { domain -init -vendor_init } default_prop:property_service set;
 neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;

 compatible_property_only(`
    neverallow { domain -init } default_prop:property_service set;
--- a/public/property.te
+++ b/public/property.te
@ -66,6 +66,7 @@ system_restricted_prop(restorecon_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)

 compatible_property_only(`
    # DO NOT ADD ANY PROPERTIES HERE
--- a/public/property_contexts
+++ b/public/property_contexts
@ -385,6 +385,7 @@ ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
 ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
 ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
 ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int