Drop back-compatibility for hiding ro.debuggable and ro.secure am: c6aec92b7c am: 60673b7437

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2399373 Change-Id: I21eb7cfbbefe5e5986d374bce5b78925160ebb61 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-01-25 19:33:01 +00:00 · 2023-01-25 19:33:01 +00:00 · c6ed575842
commit c6ed575842
parent 3f0a75fa08 60673b7437
10 changed files with 12 additions and 31 deletions
--- a/prebuilts/api/33.0/private/app_neverallows.te
+++ b/prebuilts/api/33.0/private/app_neverallows.te
@ -254,15 +254,3 @@ neverallow {
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
 # Do not allow untrusted app to read hidden system proprerties
 # We exclude older application for compatibility and we do not include in the exclusions other normally
 # untrusted applications such as mediaprovider due to the specific logging use cases.
 # Context: b/193912100
 neverallow {
  untrusted_app_all
  -untrusted_app_25
  -untrusted_app_27
  -untrusted_app_29
  -untrusted_app_30
 } { userdebug_or_eng_prop }:file read;
--- a/prebuilts/api/33.0/private/untrusted_app_25.te
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@ -52,3 +52,6 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
 get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
--- a/prebuilts/api/33.0/private/untrusted_app_27.te
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@ -40,3 +40,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
 get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_29, userdebug_or_eng_prop)
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_30, userdebug_or_eng_prop)
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -254,15 +254,3 @@ neverallow {
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
 # Do not allow untrusted app to read hidden system proprerties
 # We exclude older application for compatibility and we do not include in the exclusions other normally
 # untrusted applications such as mediaprovider due to the specific logging use cases.
 # Context: b/193912100
 neverallow {
  untrusted_app_all
  -untrusted_app_25
  -untrusted_app_27
  -untrusted_app_29
  -untrusted_app_30
 } { userdebug_or_eng_prop }:file read;
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -53,6 +53,5 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_25, userdebug_or_eng_prop)
+get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@ -42,4 +42,4 @@ allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_27, userdebug_or_eng_prop)
+get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@ -20,4 +20,4 @@ allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_29, userdebug_or_eng_prop)
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@ -22,4 +22,4 @@ allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 # Allow hidden build props
-get_prop(untrusted_app_30, userdebug_or_eng_prop)
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)