From 124720a6976a69357522299afbe5591854e40775 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 4 Apr 2012 10:11:16 -0400
Subject: [PATCH] Add policy for property service. New property_contexts file
for property selabel backend. New property.te file with property type
declarations. New property_service security class and set permission. Allow
rules for setting properties.
---
Android.mk | 17 ++++++++++++++++
access_vectors | 5 +++++
attributes | 3 +++
property.te | 9 +++++++++
property_contexts | 51 +++++++++++++++++++++++++++++++++++++++++++++++
radio.te | 6 ++++++
rild.te | 3 +++
security_classes | 3 +++
shell.te | 9 +++++++++
surfaceflinger.te | 3 +++
system.te | 6 ++++++
unconfined.te | 1 +
vold.te | 3 +++
13 files changed, 119 insertions(+)
create mode 100644 property.te
create mode 100644 property_contexts
diff --git a/Android.mk b/Android.mk
index c210dcb60..0ebc49cc5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -15,6 +15,7 @@ LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET
LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
##################################
include $(CLEAR_VARS)
@@ -66,6 +67,22 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_PREBUILT)
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+ @mkdir -p $(dir $@)
+ $(hide) cat $^ > $@
+
+property_contexts :=
##################################
endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/access_vectors b/access_vectors
index 90927e7e0..4b0c4b193 100644
--- a/access_vectors
+++ b/access_vectors
@@ -880,3 +880,8 @@ class zygote
specifyinvokewith
specifyseinfo
}
+
+class property_service
+{
+ set
+}
diff --git a/attributes b/attributes
index f2ea0c53a..1016ec65d 100644
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@ attribute netif_type;
# All types used for network ports.
attribute port_type;
+# All types used for property service
+attribute property_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/property.te b/property.te
new file mode 100644
index 000000000..b62004eff
--- /dev/null
+++ b/property.te
@@ -0,0 +1,9 @@
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
diff --git a/property_contexts b/property_contexts
new file mode 100644
index 000000000..320179c60
--- /dev/null
+++ b/property_contexts
@@ -0,0 +1,51 @@
+##########################
+# property service keys
+#
+#
+net.rmnet0 u:object_r:radio_prop:s0
+net.gprs u:object_r:radio_prop:s0
+net.ppp u:object_r:radio_prop:s0
+net.qmi u:object_r:radio_prop:s0
+net.lte u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+net.dns u:object_r:radio_prop:s0
+sys.usb.config u:object_r:radio_prop:s0
+gsm.current.phone-type u:object_r:radio_prop:s0
+gsm.sim. u:object_r:radio_prop:s0
+gsm.operator. u:object_r:radio_prop:s0
+gsm.version.baseband u:object_r:radio_prop:s0
+
+ril. u:object_r:rild_prop:s0
+gsm. u:object_r:rild_prop:s0
+net.cdma u:object_r:rild_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+runtime. u:object_r:system_prop:s0
+hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+service. u:object_r:system_prop:s0
+wlan. u:object_r:system_prop:s0
+dhcp. u:object_r:system_prop:s0
+
+debug. u:object_r:shell_prop:s0
+log. u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.sys. u:object_r:system_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.security. u:object_r:system_prop:s0
+selinux. u:object_r:system_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+crypto. u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
diff --git a/radio.te b/radio.te
index 9094cce10..a119d75cf 100644
--- a/radio.te
+++ b/radio.te
@@ -15,3 +15,9 @@ allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/rild.te b/rild.te
index 5993af478..684bc1d3b 100644
--- a/rild.te
+++ b/rild.te
@@ -20,3 +20,6 @@ allow rild shell_exec:file rx_file_perms;
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
diff --git a/security_classes b/security_classes
index 38d78eb7a..197805e3b 100644
--- a/security_classes
+++ b/security_classes
@@ -134,4 +134,7 @@ class db_language # userspace
class binder
class zygote
+# Property service
+class property_service # userspace
+
# FLASK
diff --git a/shell.te b/shell.te
index 0c67c4670..b4fa7fde8 100644
--- a/shell.te
+++ b/shell.te
@@ -31,3 +31,12 @@ allow shell log_device:chr_file r_file_perms;
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 80607da94..bbefa142c 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,3 +22,6 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;
diff --git a/system.te b/system.te
index 5fa9a917d..58e4f4748 100644
--- a/system.te
+++ b/system.te
@@ -146,6 +146,12 @@ allow system system_data_file:file relabelfrom;
allow system wallpaper_file:file relabelto;
allow system wallpaper_file:file r_file_perms;
+# Property Service write
+allow system system_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 71cdfddcd..ff5359577 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -21,3 +21,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;
diff --git a/vold.te b/vold.te
index 85a58f99d..403771fec 100644
--- a/vold.te
+++ b/vold.te
@@ -54,3 +54,6 @@ allow vold proc:file write;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;
--
GitLab