Revert "Revert "Define sepolicy for ro.product.vndk.version""

This reverts commit f536a60407. Reason for revert: Resubmit the CL with the fix in vendor_init.te Bug: 144534640 Test: lunch sdk-userdebug; m sepolicy_tests Change-Id: I47c589c071324d8f031a0f7ebdfa8188869681e9
2020-01-06 05:35:57 +00:00 · 2020-01-06 05:35:57 +00:00 · ed0a8ebe50
commit ed0a8ebe50
parent f536a60407
8 changed files with 9 additions and 0 deletions
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -199,6 +199,7 @@
    vendor_apex_file
    vendor_init
    vendor_shell
+    vndk_prop
    vold_metadata_file
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -177,6 +177,7 @@
    vendor_init
    vendor_security_patch_level_prop
    vendor_shell
+    vndk_prop
    vold_metadata_file
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -151,5 +151,6 @@
    vendor_misc_writer
    vendor_misc_writer_exec
    vendor_task_profiles_file
+    vndk_prop
    vrflinger_vsync_service
    watchdogd_tmpfs))
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -62,4 +62,5 @@
    vendor_boringssl_self_test
    vendor_install_recovery
    vendor_install_recovery_exec
+    vndk_prop
    virtual_ab_prop))
--- a/public/domain.te
+++ b/public/domain.te
@ -101,6 +101,7 @@ get_prop(domain, exported_system_prop)
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
 get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)

 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.
@ -509,6 +510,7 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 # anyone but init to modify unknown properties.
 neverallow { domain -init -vendor_init } default_prop:property_service set;
 neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;

 compatible_property_only(`
    neverallow { domain -init } default_prop:property_service set;
--- a/public/property.te
+++ b/public/property.te
@ -66,6 +66,7 @@ system_restricted_prop(restorecon_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)

 compatible_property_only(`
    # DO NOT ADD ANY PROPERTIES HERE
--- a/public/property_contexts
+++ b/public/property_contexts
@ -385,6 +385,7 @@ ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
 ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
 ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
 ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
 ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -224,6 +224,7 @@ not_compatible_property(`
      -module_sdkext_prop
      -userspace_reboot_exported_prop
      -userspace_reboot_prop
+      -vndk_prop
    })
 ')