am 49231243: am fee49159: Align SELinux property policy with init property_perms.

* commit '49231243':
  Align SELinux property policy with init property_perms.

dhcp.te

@@ -13,7 +13,7 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
 allow dhcp pan_result_prop:property_service set;
 unix_socket_connect(dhcp, property, init)
 

init.te

@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
 
+# Set any property.
+allow init property_type:property_service set;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 

netd.te

@@ -31,7 +31,9 @@ allow netd sysfs:file write;
 
 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
 allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;
 
 # Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)

property.te

@@ -2,10 +2,12 @@ type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
 type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
 type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
-type rild_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dhcp_pan_prop, property_type;

property_contexts

@@ -2,19 +2,17 @@
 # property service keys
 #
 #
-net.rmnet               u:object_r:radio_prop:s0
-net.gprs                u:object_r:radio_prop:s0
-net.ppp                 u:object_r:radio_prop:s0
-net.qmi                 u:object_r:radio_prop:s0
-net.lte                 u:object_r:radio_prop:s0
-net.cdma                u:object_r:radio_prop:s0
+net.rmnet               u:object_r:net_radio_prop:s0
+net.gprs                u:object_r:net_radio_prop:s0
+net.ppp                 u:object_r:net_radio_prop:s0
+net.qmi                 u:object_r:net_radio_prop:s0
+net.lte                 u:object_r:net_radio_prop:s0
+net.cdma                u:object_r:net_radio_prop:s0
+net.dns                 u:object_r:net_radio_prop:s0
+sys.usb.config          u:object_r:system_radio_prop:s0
+ril.                    u:object_r:radio_prop:s0
 gsm.                    u:object_r:radio_prop:s0
 persist.radio           u:object_r:radio_prop:s0
-net.dns                 u:object_r:radio_prop:s0
-sys.usb.config          u:object_r:radio_prop:s0
-
-ril.                    u:object_r:rild_prop:s0
-ril.cdma                u:object_r:radio_prop:s0
 
 net.                    u:object_r:system_prop:s0
 dev.                    u:object_r:system_prop:s0
@@ -24,7 +22,7 @@ sys.                    u:object_r:system_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 service.                u:object_r:system_prop:s0
 wlan.                   u:object_r:system_prop:s0
-dhcp.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:dhcp_prop:s0
 dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
 

radio.te

@@ -19,6 +19,10 @@ allow radio alarm_device:chr_file rw_file_perms;
 
 # Property service
 allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;
 
 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;

recovery.te

@@ -77,6 +77,9 @@ recovery_only(`
   allow recovery powerctl_prop:property_service set;
   unix_socket_connect(recovery, property, init)
 
+  # Start/stop adbd via ctl.start adbd
+  allow recovery ctl_default_prop:property_service set;
+
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 

rild.te

@@ -26,8 +26,11 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 
 # property service
-allow rild rild_prop:property_service set;
 allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;
 
 # Read/Write to uart driver (for GPS)
 allow rild gps_device:chr_file rw_file_perms;

system_app.te

@@ -30,7 +30,10 @@ allow system_app dalvikcache_data_file:file { write setattr };
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
 allow system_app logd_prop:property_service set;

system_server.te

@@ -271,7 +271,9 @@ allow system_server anr_data_file:dir relabelto;
 
 # Property Service write
 allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
 allow system_server debug_prop:property_service set;
 allow system_server powerctl_prop:property_service set;
 

unconfined.te

@@ -109,4 +109,3 @@ allow unconfineddomain node_type:node *;
 allow unconfineddomain netif_type:netif *;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;