SELinux changes for the hasSystemFeature() binder cache property.
am: bafd0c762a
Change-Id: I6970d9544db5fb7ef8b5fd449ae8ea523fe5d75e
This commit is contained in:
commit
97ad022d1d
6 changed files with 17 additions and 0 deletions
|
@ -15,6 +15,7 @@
|
|||
auth_service
|
||||
ashmem_libcutils_device
|
||||
blob_store_service
|
||||
binder_cache_system_server_prop
|
||||
binderfs
|
||||
binderfs_logs
|
||||
binderfs_logs_proc
|
||||
|
|
|
@ -1090,3 +1090,8 @@ neverallow {
|
|||
-system_server
|
||||
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
|
||||
|
||||
# Allow systemserver to read/write the invalidation property
|
||||
set_prop(system_server, binder_cache_system_server_prop)
|
||||
neverallow { domain -system_server -init }
|
||||
binder_cache_system_server_prop:property_service set;
|
||||
|
|
|
@ -107,6 +107,9 @@ get_prop(domain, exported2_default_prop)
|
|||
get_prop(domain, logd_prop)
|
||||
get_prop(domain, vndk_prop)
|
||||
|
||||
# Allow every to read binder cache properties
|
||||
get_prop(domain, binder_cache_system_server_prop)
|
||||
|
||||
# Let everyone read log properties, so that liblog can avoid sending unloggable
|
||||
# messages to logd.
|
||||
get_prop(domain, log_property_type)
|
||||
|
|
|
@ -149,6 +149,9 @@ system_public_prop(vendor_security_patch_level_prop)
|
|||
system_public_prop(wifi_log_prop)
|
||||
system_public_prop(wifi_prop)
|
||||
|
||||
# Properties used by binder caches
|
||||
system_public_prop(binder_cache_system_server_prop)
|
||||
|
||||
# Properties which are public for devices launching with Android O or earlier
|
||||
# This should not be used for any new properties.
|
||||
not_compatible_property(`
|
||||
|
@ -555,6 +558,7 @@ compatible_property_only(`
|
|||
-bluetooth_a2dp_offload_prop
|
||||
-bluetooth_audio_hal_prop
|
||||
-bluetooth_prop
|
||||
-binder_cache_system_server_prop
|
||||
-bootloader_boot_reason_prop
|
||||
-boottime_prop
|
||||
-bpf_progs_loaded_prop
|
||||
|
|
|
@ -439,3 +439,6 @@ ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0
|
|||
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
|
||||
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
|
||||
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
|
||||
|
||||
# Binder cache properties. These are world-readable
|
||||
binder.cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
|
||||
|
|
|
@ -198,6 +198,7 @@ recovery_only(`
|
|||
not_compatible_property(`
|
||||
set_prop(vendor_init, {
|
||||
property_type
|
||||
-binder_cache_system_server_prop
|
||||
-device_config_activity_manager_native_boot_prop
|
||||
-device_config_boot_count_prop
|
||||
-device_config_reset_performed_prop
|
||||
|
|
Loading…
Reference in a new issue