Merge "Add sepolicy for sdkext module prop"

2019-12-06 11:13:03 +00:00 · 2019-12-06 11:13:03 +00:00 · 902f4fe2e6
commit 902f4fe2e6
parent f32216ae46 e822545909
7 changed files with 24 additions and 0 deletions
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@ -1 +1,2 @@
 (/.*)?                u:object_r:system_file:s0
+/bin/derive_sdk       u:object_r:derive_sdk_exec:s0
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -32,6 +32,7 @@
    mediatranscoding_tmpfs
    linker_prop
    mock_ota_prop
+    module_sdkext_prop
    ota_metadata_file
    ota_prop
    art_apex_dir
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@ -0,0 +1,12 @@
+
+# Domain for derive_sdk
+type derive_sdk, domain, coredomain;
+type derive_sdk_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_sdk)
+
+# Read /apex
+allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+
+# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
+set_prop(derive_sdk, module_sdkext_prop)
+neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
--- a/private/domain.te
+++ b/private/domain.te
@ -45,6 +45,9 @@ get_prop(domain, use_memfd_prop);
 # Allow to read properties for linker
 get_prop(domain, linker_prop);

+# Read access to sdkext props
+get_prop(domain, module_sdkext_prop)
+
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
--- a/private/property_contexts
+++ b/private/property_contexts
@ -224,3 +224,7 @@ ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0

 # Property to set/clear the warm reset flag after an OTA update.
 ota.warm_reset  u:object_r:ota_prop:s0
+
+# Module properties
+com.android.sdkext.                  u:object_r:module_sdkext_prop:s0
+persist.com.android.sdkext.          u:object_r:module_sdkext_prop:s0
--- a/public/property.te
+++ b/public/property.te
@ -60,6 +60,7 @@ compatible_property_only(`

 # Properties which can't be written outside system
 system_restricted_prop(linker_prop)
+system_restricted_prop(module_sdkext_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
 system_restricted_prop(restorecon_prop)
 system_restricted_prop(system_boot_reason_prop)
@ -614,6 +615,7 @@ compatible_property_only(`
    -heapprofd_prop
    -hwservicemanager_prop
    -last_boot_reason_prop
+    -module_sdkext_prop
    -system_lmk_prop
    -linker_prop
    -log_prop
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -221,6 +221,7 @@ not_compatible_property(`
      -nnapi_ext_deny_product_prop
      -init_svc_debug_prop
      -linker_prop
+      -module_sdkext_prop
      -userspace_reboot_exported_prop
      -userspace_reboot_prop
    })