From dd1ec6d557e80c688f7f1e4aef522b6441e8151a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 1 Nov 2013 10:45:03 -0700
Subject: [PATCH] Give system_server / system_app ability to write some
 properties

Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
---
 property.te       | 1 +
 property_contexts | 2 +-
 system_app.te     | 3 +++
 system_server.te  | 1 +
 4 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/property.te b/property.te
index d0c77a47e..55888d115 100644
--- a/property.te
+++ b/property.te
@@ -1,5 +1,6 @@
 type default_prop, property_type;
 type shell_prop, property_type;
+type debug_prop, property_type;
 type radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 6c47c9fc0..75c927f58 100644
--- a/property_contexts
+++ b/property_contexts
@@ -26,7 +26,7 @@ wlan.                   u:object_r:system_prop:s0
 dhcp.                   u:object_r:system_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
 
-debug.                  u:object_r:shell_prop:s0
+debug.                  u:object_r:debug_prop:s0
 log.                    u:object_r:shell_prop:s0
 service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
diff --git a/system_app.te b/system_app.te
index a8ad762c8..3084e9363 100644
--- a/system_app.te
+++ b/system_app.te
@@ -33,3 +33,6 @@ allow system_app sdcard_type:dir r_dir_perms;
 # Allow settings app to read from asec
 allow system_app asec_apk_file:dir search;
 allow system_app asec_apk_file:file r_file_perms;
+
+# Write to properties
+allow system_app system_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index cae5cb0a5..782c27f97 100644
--- a/system_server.te
+++ b/system_server.te
@@ -147,6 +147,7 @@ allow system_server anr_data_file:dir relabelto;
 # Property Service write
 allow system_server system_prop:property_service set;
 allow system_server radio_prop:property_service set;
+allow system_server debug_prop:property_service set;
 
 # ctl interface
 allow system_server ctl_default_prop:property_service set;
-- 
GitLab