Merge "Add sepolicy for the Thread Network property" into main

2024-01-25 09:39:13 +00:00 · 2024-01-25 09:39:13 +00:00 · 943f869f1b
commit 943f869f1b
parent 75f527a74e 1d75b43704
4 changed files with 15 additions and 0 deletions
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@ -37,4 +37,5 @@
    drm_forcel3_prop
    proc_percpu_pagelist_high_fraction
    vendor_microdroid_file
+    threadnetwork_config_prop
  ))
--- a/private/property_contexts
+++ b/private/property_contexts
@ -1628,3 +1628,5 @@ persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config
 # Properties for app archiving
 pm.archiving.enabled      u:object_r:pm_archiving_enabled_prop:s0 exact bool

+# Properties for ThreadNetworkService
+threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1565,3 +1565,14 @@ allow system_server binderfs_logs_stats:file r_file_perms;
 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)

+# ThreadNetworkService reads Thread Network properties
+get_prop(system_server, threadnetwork_config_prop)
+
+# Do not allow any domain other than init and system server to set the property
+neverallow {
+  domain
+  -init
+  -vendor_init
+  -dumpstate
+  -system_server
+} threadnetwork_config_prop:file no_rw_file_perms;
--- a/public/property.te
+++ b/public/property.te
@ -181,6 +181,7 @@ system_vendor_config_prop(surfaceflinger_prop)
 system_vendor_config_prop(suspend_prop)
 system_vendor_config_prop(systemsound_config_prop)
 system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(threadnetwork_config_prop)
 system_vendor_config_prop(tombstone_config_prop)
 system_vendor_config_prop(usb_config_prop)
 system_vendor_config_prop(userspace_reboot_config_prop)