Allow ueventd to set verity.* properties

On dm-verity errors, we catch uevents in ueventd and set the value for a matching verity.* property. Allow ueventd to actually change property values. Needed by changes from Ibb82953594d234f81ad21c40f524190b88e4ac8f Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc

Allow ueventd to set verity.* properties
47cd53a5 · Sami Tolvanen · 41d961a7 · 47cd53a5 · 47cd53a5 · 47cd53a5
Commit 47cd53a5 authored 10 years ago by Sami Tolvanen
--- a/property.te
+++ b/property.te
@@ -8,6 +8,7 @@ type radio_prop, property_type;
 type net_radio_prop, property_type;
 type system_radio_prop, property_type;
 type system_prop, property_type;
+type verity_prop, property_type;
 type vold_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;

--- a/property_contexts
+++ b/property_contexts
@@ -49,6 +49,9 @@ selinux.                u:object_r:security_prop:s0
 vold.                   u:object_r:vold_prop:s0
 crypto.                 u:object_r:vold_prop:s0

+# dm-verity properties
+verity.                 u:object_r:verity_prop:s0
+
 # ro.build.fingerprint is either set in /system/build.prop, or is
 # set at runtime by system_server.
 build.fingerprint       u:object_r:fingerprint_prop:s0

--- a/ueventd.te
+++ b/ueventd.te
@@ -23,3 +23,9 @@ allow ueventd efs_file:file r_file_perms;

 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
+
+# Set property.
+unix_socket_connect(ueventd, property, init)
+
+# Property service
+allow ueventd verity_prop:property_service set;