From eed2e84a95671c749734d618a3557e28313e9228 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Wed, 24 Jan 2018 11:20:35 -0800
Subject: [PATCH] Fix compatible property neverallows
The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files. The correct restriction is to restrict 'set'
for 'property_service' as this change does.
Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.
Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09
---
public/property.te | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/public/property.te b/public/property.te
index 0578ed61c..f5ca4d863 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@ neverallow * {
}:file no_rw_file_perms;
compatible_property_only(`
+# Prevent properties from being set
neverallow {
domain
-coredomain
@@ -129,19 +130,43 @@ compatible_property_only(`
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
- exported_radio_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported2_config_prop
exported2_default_prop
- exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
- }:file no_w_file_perms;
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc
+ -vendor_init
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+# Prevent properties from being read
neverallow {
domain
-coredomain
--
GitLab