From bb9a388840cde9a1e0b0aa01ba4374eec721616b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 13 Dec 2016 19:50:36 -0800
Subject: [PATCH] Assign a label to the ro.boottime.* properties

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
---
 private/property_contexts | 1 +
 public/bootstat.te        | 3 +++
 public/property.te        | 1 +
 public/system_server.te   | 3 +++
 4 files changed, 8 insertions(+)

diff --git a/private/property_contexts b/private/property_contexts
index 2e0b2dd3f..340756033 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -58,6 +58,7 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
+ro.boottime.             u:object_r:boottime_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
diff --git a/public/bootstat.te b/public/bootstat.te
index 98b2565f7..7fc589235 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,3 +8,6 @@ allow bootstat bootstat_data_file:file create_file_perms;
 
 # Read access to pseudo filesystems (for /proc/uptime).
 r_dir_file(bootstat, proc)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
diff --git a/public/property.te b/public/property.te
index e64ebcd2a..731eee518 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,4 +1,5 @@
 type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
 type bluetooth_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
diff --git a/public/system_server.te b/public/system_server.te
index f7f87f82a..c0802e8d4 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -384,6 +384,9 @@ set_prop(system_server, ctl_bugreport_prop)
 # cppreopt property
 set_prop(system_server, cppreopt_prop)
 
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
 # Create a socket for receiving info from wpa.
 allow system_server wpa_socket:dir rw_dir_perms;
 allow system_server system_wpa_socket:sock_file create_file_perms;
-- 
GitLab