Add policy for property service.

New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.

Add policy for property service.
124720a6 · Stephen Smalley · 2cb1b31f · 124720a6 · 124720a6 · 124720a6
Commit 124720a6 authored 12 years ago by Stephen Smalley
--- a/Android.mk
+++ b/Android.mk
@@ -15,6 +15,7 @@ LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET

 LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
 LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))

 ##################################
 include $(CLEAR_VARS)
@@ -66,6 +67,22 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

 include $(BUILD_PREBUILT)

+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+	@mkdir -p $(dir $@)
+	$(hide) cat $^ > $@
+
+property_contexts :=
 ##################################

 endif #ifeq ($(HAVE_SELINUX),true)
--- a/access_vectors
+++ b/access_vectors
@@ -880,3 +880,8 @@ class zygote
 	specifyinvokewith
 	specifyseinfo
 }
+
+class property_service
+{
+	set
+}
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@ attribute netif_type;
 # All types used for network ports.
 attribute port_type;

+# All types used for property service
+attribute property_type;
+
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;

--- a/property.te
+++ b/property.te
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
--- a/property_contexts
+++ b/property_contexts
+##########################
+# property service keys
+#
+#
+net.rmnet0              u:object_r:radio_prop:s0
+net.gprs                u:object_r:radio_prop:s0
+net.ppp                 u:object_r:radio_prop:s0
+net.qmi                 u:object_r:radio_prop:s0
+net.lte                 u:object_r:radio_prop:s0
+persist.radio           u:object_r:radio_prop:s0
+net.dns                 u:object_r:radio_prop:s0
+sys.usb.config          u:object_r:radio_prop:s0
+gsm.current.phone-type  u:object_r:radio_prop:s0
+gsm.sim.                u:object_r:radio_prop:s0
+gsm.operator.           u:object_r:radio_prop:s0
+gsm.version.baseband    u:object_r:radio_prop:s0
+
+ril.                    u:object_r:rild_prop:s0
+gsm.                    u:object_r:rild_prop:s0
+net.cdma                u:object_r:rild_prop:s0
+
+net.                    u:object_r:system_prop:s0
+dev.                    u:object_r:system_prop:s0
+runtime.                u:object_r:system_prop:s0
+hw.                     u:object_r:system_prop:s0
+sys.                    u:object_r:system_prop:s0
+service.                u:object_r:system_prop:s0
+wlan.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:system_prop:s0
+
+debug.                  u:object_r:shell_prop:s0
+log.                    u:object_r:shell_prop:s0
+service.adb.root        u:object_r:shell_prop:s0
+service.adb.tcp.port    u:object_r:shell_prop:s0
+
+persist.sys.            u:object_r:system_prop:s0
+persist.service.        u:object_r:system_prop:s0
+persist.security.       u:object_r:system_prop:s0
+selinux.                u:object_r:system_prop:s0
+
+# default property context
+*                       u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold.                   u:object_r:vold_prop:s0
+crypto.                 u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
+ctl.                    u:object_r:ctl_default_prop:s0
--- a/radio.te
+++ b/radio.te
@@ -15,3 +15,9 @@ allow radio radio_data_file:dir create_dir_perms;
 allow radio radio_data_file:notdevfile_class_set create_file_perms;

 allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
--- a/rild.te
+++ b/rild.te
@@ -20,3 +20,6 @@ allow rild shell_exec:file rx_file_perms;
 dontaudit rild self:capability sys_admin;
 # XXX Label sysfs files with a specific type?
 allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
--- a/security_classes
+++ b/security_classes
@@ -134,4 +134,7 @@ class db_language		# userspace
 class binder
 class zygote

+# Property service
+class property_service          # userspace
+
 # FLASK
--- a/shell.te
+++ b/shell.te
@@ -31,3 +31,12 @@ allow shell log_device:chr_file r_file_perms;
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,3 +22,6 @@ allow surfaceflinger video_device:chr_file rw_file_perms;

 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;
--- a/system.te
+++ b/system.te
@@ -146,6 +146,12 @@ allow system system_data_file:file relabelfrom;
 allow system wallpaper_file:file relabelto;
 allow system wallpaper_file:file r_file_perms;

+# Property Service write
+allow system system_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;

--- a/unconfined.te
+++ b/unconfined.te
@@ -21,3 +21,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;
--- a/vold.te
+++ b/vold.te
@@ -54,3 +54,6 @@ allow vold proc:file write;

 # Create and mount on /data/tmp_mnt.
 allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;