Replace unix_socket_connect() and explicit property sets with macro

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

adbd.te

@@ -42,10 +42,9 @@ allow adbd anr_data_file:dir r_dir_perms;
 allow adbd anr_data_file:file r_file_perms;
 
 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-unix_socket_connect(adbd, property, init)
-allow adbd shell_prop:property_service set;
-allow adbd powerctl_prop:property_service set;
-allow adbd ffs_prop:property_service set;
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
 
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;

bluetooth.te

@@ -38,16 +38,13 @@ allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read
 allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;
 
-# Talk to init over the property socket.
-unix_socket_connect(bluetooth, property, init)
-
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
 # Allow write access to bluetooth specific properties
-allow bluetooth bluetooth_prop:property_service set;
-allow bluetooth pan_result_prop:property_service set;
-allow bluetooth ctl_dhcp_pan_prop:property_service set;
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+set_prop(bluetooth, ctl_dhcp_pan_prop)
 
 allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;

dhcp.te

@@ -13,9 +13,9 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp dhcp_prop:property_service set;
-allow dhcp pan_result_prop:property_service set;
-unix_socket_connect(dhcp, property, init)
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;

healthd.te

@@ -42,5 +42,4 @@ allow healthd healthd_service:service_manager { add find };
 
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
-unix_socket_connect(healthd, property, init)
-allow healthd system_prop:property_service set;
+set_prop(healthd, system_prop)

mediaserver.te

@@ -6,7 +6,6 @@ typeattribute mediaserver mlstrustedsubject;
 
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unix_socket_connect(mediaserver, property, init)
 
 r_dir_file(mediaserver, sdcard_type)
 
@@ -27,7 +26,8 @@ allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
 allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver audio_prop:property_service set;
+
+set_prop(mediaserver, audio_prop)
 
 # Access audio devices at all.
 allow mediaserver audio_device:chr_file rw_file_perms;

netd.te

@@ -30,9 +30,8 @@ allow netd proc_net:file write;
 allow netd sysfs:file write;
 
 # Set dhcp lease for PAN connection
-unix_socket_connect(netd, property, init)
-allow netd dhcp_prop:property_service set;
-allow netd system_prop:property_service set;
+set_prop(netd, dhcp_prop)
+set_prop(netd, system_prop)
 auditallow netd system_prop:property_service set;
 
 # Connect to PAN
@@ -62,7 +61,7 @@ allow netd dnsmasq:process signal;
 domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;
 
-allow netd ctl_mdnsd_prop:property_service set;
+set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};

nfc.te

@@ -5,8 +5,7 @@ net_domain(nfc)
 binder_service(nfc)
 
 # Set NFC properties
-unix_socket_connect(nfc, property, init)
-allow nfc nfc_prop:property_service set;
+set_prop(nfc, nfc_prop)
 
 # NFC device access.
 allow nfc nfc_device:chr_file rw_file_perms;

radio.te

@@ -5,9 +5,6 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
 
-# Talks to init via the property socket.
-unix_socket_connect(radio, property, init)
-
 # Talks to rild via the rild socket.
 unix_socket_connect(radio, rild, rild)
 
@@ -21,14 +18,14 @@ allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;
 
 # Property service
-allow radio radio_prop:property_service set;
-allow radio net_radio_prop:property_service set;
-allow radio system_radio_prop:property_service set;
+set_prop(radio, radio_prop)
+set_prop(radio, system_radio_prop)
+set_prop(radio, net_radio_prop)
 auditallow radio net_radio_prop:property_service set;
 auditallow radio system_radio_prop:property_service set;
 
 # ctl interface
-allow radio ctl_rildaemon_prop:property_service set;
+set_prop(radio, ctl_rildaemon_prop)
 
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;

recovery.te

@@ -78,11 +78,10 @@ recovery_only(`
   allow recovery cache_file:file create_file_perms;
 
   # Reboot the device
-  allow recovery powerctl_prop:property_service set;
-  unix_socket_connect(recovery, property, init)
+  set_prop(recovery, powerctl_prop)
 
   # Start/stop adbd via ctl.start adbd
-  allow recovery ctl_default_prop:property_service set;
+  set_prop(recovery, ctl_default_prop)
 
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;

rild.te

@@ -6,7 +6,6 @@ init_daemon_domain(rild)
 net_domain(rild)
 allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
-unix_socket_connect(rild, property, init)
 allow rild self:capability { setuid net_admin net_raw };
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild cgroup:dir create_dir_perms;
@@ -26,9 +25,9 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 
 # property service
-allow rild radio_prop:property_service set;
-allow rild net_radio_prop:property_service set;
-allow rild system_radio_prop:property_service set;
+set_prop(rild, radio_prop)
+set_prop(rild, net_radio_prop)
+set_prop(rild, system_radio_prop)
 auditallow rild net_radio_prop:property_service set;
 auditallow rild system_radio_prop:property_service set;
 

shell.te

@@ -41,11 +41,10 @@ allow shell zygote_exec:file rx_file_perms;
 r_dir_file(shell, apk_data_file)
 
 # Set properties.
-unix_socket_connect(shell, property, init)
-allow shell shell_prop:property_service set;
-allow shell ctl_dumpstate_prop:property_service set;
-allow shell debug_prop:property_service set;
-allow shell powerctl_prop:property_service set;
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
 # debugfs doesn't support labeling individual files, so we have

surfaceflinger.te

@@ -5,9 +5,6 @@ type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)
 typeattribute surfaceflinger mlstrustedsubject;
 
-# Talk to init over the property socket.
-unix_socket_connect(surfaceflinger, property, init)
-
 # Perform Binder IPC.
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
@@ -37,8 +34,8 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Set properties.
-allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_bootanim_prop:property_service set;
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;

system_app.te

@@ -31,15 +31,14 @@ auditallow system_app system_data_file:file { create setattr append write link u
 allow system_app wallpaper_file:file r_file_perms;
 
 # Write to properties
-unix_socket_connect(system_app, property, init)
-allow system_app debug_prop:property_service set;
-allow system_app net_radio_prop:property_service set;
-allow system_app system_radio_prop:property_service set;
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, ctl_bugreport_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
-allow system_app system_prop:property_service set;
-allow system_app ctl_bugreport_prop:property_service set;
-allow system_app logd_prop:property_service set;
 
 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;

system_server.te

@@ -105,7 +105,6 @@ allow system_server self:tun_socket create_socket_perms;
 allow system_server init:process sigchld;
 
 # Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, property, init)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
@@ -273,18 +272,18 @@ allow system_server system_data_file:dir relabelfrom;
 allow system_server anr_data_file:dir relabelto;
 
 # Property Service write
-allow system_server system_prop:property_service set;
-allow system_server dhcp_prop:property_service set;
-allow system_server net_radio_prop:property_service set;
-allow system_server system_radio_prop:property_service set;
-allow system_server debug_prop:property_service set;
-allow system_server powerctl_prop:property_service set;
-allow system_server fingerprint_prop:property_service set;
+set_prop(system_server, system_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
 
 # ctl interface
-allow system_server ctl_default_prop:property_service set;
-allow system_server ctl_dhcp_pan_prop:property_service set;
-allow system_server ctl_bugreport_prop:property_service set;
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_dhcp_pan_prop)
+set_prop(system_server, ctl_bugreport_prop)
 
 # Create a socket for receiving info from wpa.
 type_transition system_server wifi_data_file:sock_file system_wpa_socket;

te_macros

@@ -118,11 +118,31 @@ typeattribute $1 bluetoothdomain;
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
 # socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
 define(`unix_socket_connect', `
 allow $1 $2_socket:sock_file write;
 allow $1 $3:unix_stream_socket connectto;
 ')
 
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via

uncrypt.te

@@ -21,8 +21,7 @@ allow uncrypt cache_file:dir rw_dir_perms;
 allow uncrypt cache_file:file create_file_perms;
 
 # Set a property to reboot the device.
-unix_socket_connect(uncrypt, property, init)
-allow uncrypt powerctl_prop:property_service set;
+set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;

vold.te

@@ -94,9 +94,6 @@ allow vold fscklogs:file create_file_perms;
 # Rules to support encrypted fs support.
 #
 
-# Set property.
-unix_socket_connect(vold, property, init)
-
 # Unmount and mount the fs.
 allow vold labeledfs:filesystem { mount unmount remount };
 
@@ -111,9 +108,9 @@ allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
 allow vold kernel:process setsched;
 
 # Property Service
-allow vold vold_prop:property_service set;
-allow vold powerctl_prop:property_service set;
-allow vold ctl_fuse_prop:property_service set;
+set_prop(vold, vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;