Add selinux permissions for ro.usb.uvc.enabled

This CL the selinux rules for the property ro.usb.uvc.enabled which will be used to toggle UVC Gadget functionality on the Android Device. Bug: 242344221 Bug: 242344229 Test: Manually tested that the property can only be read at runtime, not written to. Change-Id: I0fd6051666d9554037acc68fa81226503f514a45
2023-01-23 23:46:42 -08:00 · 2023-01-23 23:46:42 -08:00 · a12d3103be
commit a12d3103be
parent beee8849a6
6 changed files with 17 additions and 0 deletions
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -43,6 +43,7 @@
    timezone_metadata_prop
    tuner_config_prop
    tuner_server_ctl_prop
+    usb_uvc_enabled_prop
    virtual_face_hal_prop
    virtual_fingerprint_hal_prop
    hal_gatekeeper_service
--- a/private/property.te
+++ b/private/property.te
@ -681,3 +681,9 @@ neverallow {
  domain
  -init
 } log_file_logger_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -vendor_init
+} usb_uvc_enabled_prop:property_service set;
--- a/private/property_contexts
+++ b/private/property_contexts
@ -1501,3 +1501,6 @@ tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool

 # Adaptive haptics settings property
 vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
+
+# UVC Gadget property
+ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
--- a/private/system_app.te
+++ b/private/system_app.te
@ -177,6 +177,9 @@ allow system_app system_server:udp_socket {
 # Settings app reads ro.oem_unlock_supported
 get_prop(system_app, oem_unlock_prop)

+# Settings app reads ro.usb.uvc.enabled
+get_prop(system_app, usb_uvc_enabled_prop)
+
 # Allow system apps to act as Perfetto producers.
 perfetto_producer(system_app)

--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@ -14,3 +14,6 @@ allow hal_usb_gadget_server configfs:file create_file_perms;
 allow hal_usb_gadget_server functionfs:dir { read search };
 allow hal_usb_gadget_server functionfs:file read;
 allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
+
+# Read access to ro.usb.uvc.enabled
+get_prop(hal_usb_gadget_server, usb_uvc_enabled_prop)
--- a/public/property.te
+++ b/public/property.te
@ -187,6 +187,7 @@ system_vendor_config_prop(zram_config_prop)
 system_vendor_config_prop(zygote_config_prop)
 system_vendor_config_prop(dck_prop)
 system_vendor_config_prop(tuner_config_prop)
+system_vendor_config_prop(usb_uvc_enabled_prop)

 # Properties with no restrictions
 system_public_prop(adbd_config_prop)