Merge "Revert^2 "SELinux policy for system server JVMTI""

am: 453ed17a61 Change-Id: Ia488cd027e46fa6f20ebbce91ea6ada63ab5e6da
2019-11-26 14:26:00 -08:00 · 2019-11-26 14:26:00 -08:00 · b08791945a
commit b08791945a
parent bb82c57996 453ed17a61
5 changed files with 17 additions and 0 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -33,6 +33,7 @@
    art_apex_dir
    service_manager_service
    system_group_file
+    system_jvmti_agent_prop
    system_passwd_file
    timezonedetector_service
    userspace_reboot_prop
--- a/private/property_contexts
+++ b/private/property_contexts
@ -67,6 +67,7 @@ persist.sys.theme       u:object_r:theme_prop:s0
 persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent   u:object_r:system_jvmti_agent_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -894,6 +894,8 @@ allow system_server profman_dump_data_file:dir w_dir_perms;
 userdebug_or_eng(`
  allow system_server user_profile_data_file:file create_file_perms;
 ')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)

 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
@ -1031,6 +1033,17 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;

+# JVMTI agent settings are only readable from the system server.
+neverallow {
+  domain
+  -system_server
+  -dumpstate
+  -init
+  -vendor_init
+} {
+  system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
 # Read/Write /proc/pressure/memory
 allow system_server proc_pressure_mem:file rw_file_perms;

--- a/public/property.te
+++ b/public/property.te
@ -63,6 +63,7 @@ system_restricted_prop(linker_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
 system_restricted_prop(restorecon_prop)
 system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_jvmti_agent_prop)
 system_restricted_prop(userspace_reboot_exported_prop)

 compatible_property_only(`
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -213,6 +213,7 @@ not_compatible_property(`
      -firstboot_prop
      -pm_prop
      -system_boot_reason_prop
+      -system_jvmti_agent_prop
      -bootloader_boot_reason_prop
      -last_boot_reason_prop
      -apexd_prop