Merge "Support fine grain read access control for properties" am: 6fa6bdb6

am: c28d9091

* commit 'c28d9091':
  Support fine grain read access control for properties

device.te

@@ -54,6 +54,7 @@ type usbaccessory_device, dev_type, mlstrustedobject;
 type usb_device, dev_type, mlstrustedobject;
 type klog_device, dev_type;
 type properties_device, dev_type;
+type properties_serial, dev_type;
 type i2c_device, dev_type;
 
 # All devices have a uart for the hci

domain.te

@@ -76,7 +76,14 @@ allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
 allow domain init:key search;
 allow domain vold:key search;
 

file.te

@@ -192,6 +192,9 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# property_contexts file
+type property_contexts, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;

file_contexts

@@ -34,7 +34,7 @@
 
 # SELinux policy files
 /file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts  u:object_r:rootfs:s0
+/property_contexts  u:object_r:property_contexts:s0
 /seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
 /service_contexts   u:object_r:rootfs:s0

init.te

@@ -14,8 +14,9 @@ allow init tmpfs:chr_file create_file_perms;
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
 
 # setrlimit
 allow init self:capability sys_resource;

property.te

@@ -30,3 +30,5 @@ type powerctl_prop, property_type;
 type nfc_prop, property_type;
 type dalvik_prop, property_type;
 type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;

te_macros

@@ -152,6 +152,15 @@ __unix_socket_connect__($1, property, init)
 allow $1 $2:property_service set;
 ')
 
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via