diff --git a/Android.mk b/Android.mk
index c210dcb60f1ad3fba6f6a33c4b2c5e7469844e10..0ebc49cc583e090fdd0cd96757de68bc5bd4c2ac 100644
--- a/Android.mk
+++ b/Android.mk
@@ -15,6 +15,7 @@ LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET
LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
##################################
include $(CLEAR_VARS)
@@ -66,6 +67,22 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_PREBUILT)
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+ @mkdir -p $(dir $@)
+ $(hide) cat $^ > $@
+
+property_contexts :=
##################################
endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/access_vectors b/access_vectors
index 90927e7e05069a2a606b0e002fb48481e78f10b0..4b0c4b1939e39aa0877e87cafda77fad523bb1b0 100644
--- a/access_vectors
+++ b/access_vectors
@@ -880,3 +880,8 @@ class zygote
specifyinvokewith
specifyseinfo
}
+
+class property_service
+{
+ set
+}
diff --git a/attributes b/attributes
index f2ea0c53adbc4100d94d8ab1f657b469b5de347a..1016ec65dc598a47ef4f782099d49868e6b48081 100644
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@ attribute netif_type;
# All types used for network ports.
attribute port_type;
+# All types used for property service
+attribute property_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/property.te b/property.te
new file mode 100644
index 0000000000000000000000000000000000000000..b62004eff26e2a9705ba17f604a31c8a08fbf739
--- /dev/null
+++ b/property.te
@@ -0,0 +1,9 @@
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
diff --git a/property_contexts b/property_contexts
new file mode 100644
index 0000000000000000000000000000000000000000..320179c6088903fc277fd6ff696b3d0efa8cf335
--- /dev/null
+++ b/property_contexts
@@ -0,0 +1,51 @@
+##########################
+# property service keys
+#
+#
+net.rmnet0 u:object_r:radio_prop:s0
+net.gprs u:object_r:radio_prop:s0
+net.ppp u:object_r:radio_prop:s0
+net.qmi u:object_r:radio_prop:s0
+net.lte u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+net.dns u:object_r:radio_prop:s0
+sys.usb.config u:object_r:radio_prop:s0
+gsm.current.phone-type u:object_r:radio_prop:s0
+gsm.sim. u:object_r:radio_prop:s0
+gsm.operator. u:object_r:radio_prop:s0
+gsm.version.baseband u:object_r:radio_prop:s0
+
+ril. u:object_r:rild_prop:s0
+gsm. u:object_r:rild_prop:s0
+net.cdma u:object_r:rild_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+runtime. u:object_r:system_prop:s0
+hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+service. u:object_r:system_prop:s0
+wlan. u:object_r:system_prop:s0
+dhcp. u:object_r:system_prop:s0
+
+debug. u:object_r:shell_prop:s0
+log. u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.sys. u:object_r:system_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.security. u:object_r:system_prop:s0
+selinux. u:object_r:system_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+crypto. u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
diff --git a/radio.te b/radio.te
index 9094cce109f6d2fc43400aba2f504f7499993897..a119d75cfd523e56918818a8841003539f48e2d2 100644
--- a/radio.te
+++ b/radio.te
@@ -15,3 +15,9 @@ allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/rild.te b/rild.te
index 5993af478471df7b9f26ebad6caa8315872d7a73..684bc1d3b4d48c445fcc04a194cb5acb3e9b9b79 100644
--- a/rild.te
+++ b/rild.te
@@ -20,3 +20,6 @@ allow rild shell_exec:file rx_file_perms;
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
diff --git a/security_classes b/security_classes
index 38d78eb7a4018d007206a651cbab278d14197f0a..197805e3b2b0b8ea4ac94247808d21ceb4ba4188 100644
--- a/security_classes
+++ b/security_classes
@@ -134,4 +134,7 @@ class db_language # userspace
class binder
class zygote
+# Property service
+class property_service # userspace
+
# FLASK
diff --git a/shell.te b/shell.te
index 0c67c46703f526cc4bf5d45a21ea17a56c67234e..b4fa7fde883da5cdfd6e1537262f9c43402c184e 100644
--- a/shell.te
+++ b/shell.te
@@ -31,3 +31,12 @@ allow shell log_device:chr_file r_file_perms;
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 80607da94a8f077a8b1fa958782880b96fb6ab6c..bbefa142cd3b4fdd9134dd80f578dad9ccd3ec53 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,3 +22,6 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;
diff --git a/system.te b/system.te
index 5fa9a917d739af593e5e51388f0593539656759e..58e4f4748d9d9ec241a9e01f7fc7a7a7e097892b 100644
--- a/system.te
+++ b/system.te
@@ -146,6 +146,12 @@ allow system system_data_file:file relabelfrom;
allow system wallpaper_file:file relabelto;
allow system wallpaper_file:file r_file_perms;
+# Property Service write
+allow system system_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 71cdfddcd51bee44d60b9b6d937a9b3f4d1c358f..ff5359577d058199d067cffc1e3af1bf05f67005 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -21,3 +21,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;
diff --git a/vold.te b/vold.te
index 85a58f99d6004b0d31e9a1236340190147b0618d..403771fecb3e56b0f454b28e3434cd1f62d58483 100644
--- a/vold.te
+++ b/vold.te
@@ -54,3 +54,6 @@ allow vold proc:file write;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;