From 6473ae83075fd0a442becdc5120e17477563e2f6 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Fri, 19 Jan 2018 15:21:42 -0800
Subject: [PATCH] Allow vendor_init without compatible_property to write most
 properties

These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.

Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2
---
 public/domain.te      |  6 ++++--
 public/vendor_init.te | 13 +++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index cffe5cdae..6a3d270eb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -506,10 +506,12 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 
 # Require that domains explicitly label unknown properties, and do not allow
 # anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
 
 compatible_property_only(`
+    neverallow { domain -init } default_prop:property_service set;
+    neverallow { domain -init } mmc_prop:property_service set;
     neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 01e30a825..b1efe1d7f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -218,6 +218,19 @@ allow vendor_init serialno_prop:file { getattr open read };
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
 
+not_compatible_property(`
+    set_prop(vendor_init, {
+      property_type
+      -restorecon_prop
+      -netd_stable_secret_prop
+      -firstboot_prop
+      -pm_prop
+      -system_boot_reason_prop
+      -bootloader_boot_reason_prop
+      -last_boot_reason_prop
+    })
+')
+
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_config_prop)
 set_prop(vendor_init, exported_dalvik_prop)
-- 
GitLab