From 4b3893f90bf6bc67de232ddc44123974d36770ef Mon Sep 17 00:00:00 2001
From: Robert Craig <rpcraig@tycho.ncsc.mil>
Date: Tue, 18 Feb 2014 13:24:26 -0500
Subject: [PATCH] Replace ctl_default_prop access with explicit service
 property keys.

The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 netd.te           | 4 +---
 property.te       | 3 +++
 property_contexts | 3 +++
 surfaceflinger.te | 2 +-
 vold.te           | 2 +-
 5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/netd.te b/netd.te
index 50208981f..46cc43631 100644
--- a/netd.te
+++ b/netd.te
@@ -56,9 +56,7 @@ allow netd dnsmasq:process signal;
 domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;
 
-# Support netd running mdnsd
-# TODO: prune this back further
-allow netd ctl_default_prop:property_service set;
+allow netd ctl_mdnsd_prop:property_service set;
 
 ###
 ### Neverallow rules
diff --git a/property.te b/property.te
index c1dc2549c..6f2b28050 100644
--- a/property.te
+++ b/property.te
@@ -6,8 +6,11 @@ type radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
 type rild_prop, property_type;
+type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_mdnsd_prop, property_type;
 type ctl_rildaemon_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type audio_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 08874c552..aedf60c4a 100644
--- a/property_contexts
+++ b/property_contexts
@@ -52,7 +52,10 @@ vold.                   u:object_r:vold_prop:s0
 crypto.                 u:object_r:vold_prop:s0
 
 # ctl properties
+ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_               u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
 ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
 ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5ecfd1832..20fef957d 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -38,7 +38,7 @@ allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Set properties.
 allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
+allow surfaceflinger ctl_bootanim_prop:property_service set;
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
diff --git a/vold.te b/vold.te
index cc70e8a29..b76be767e 100644
--- a/vold.te
+++ b/vold.te
@@ -65,7 +65,7 @@ allow vold kernel:process setsched;
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
-allow vold ctl_default_prop:property_service set;
+allow vold ctl_fuse_prop:property_service set;
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;
-- 
GitLab