Replace ctl_default_prop access with explicit service property keys.

The ctl_default_prop label is a bit too generic for some of the priveleged domains when describing access rights. Instead, be explicit about which services are being started and stopped by introducing new ctl property keys. Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Replace ctl_default_prop access with explicit service property keys.
The ctl_default_prop label is a bit too generic for some of the priveleged domains when describing access rights. Instead, be explicit about which services are being started and stopped by introducing new ctl property keys. Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
4b3893f9 · Robert Craig · 18f2b80e · 4b3893f9 · 4b3893f9 · 4b3893f9
Commit 4b3893f9 authored 11 years ago by Robert Craig
--- a/netd.te
+++ b/netd.te
@@ -56,9 +56,7 @@ allow netd dnsmasq:process signal;
 domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;

-# Support netd running mdnsd
-# TODO: prune this back further
-allow netd ctl_default_prop:property_service set;
+allow netd ctl_mdnsd_prop:property_service set;

 ###
 ### Neverallow rules

--- a/property.te
+++ b/property.te
@@ -6,8 +6,11 @@ type radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
 type rild_prop, property_type;
+type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_mdnsd_prop, property_type;
 type ctl_rildaemon_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type audio_prop, property_type;

--- a/property_contexts
+++ b/property_contexts
@@ -52,7 +52,10 @@ vold.                   u:object_r:vold_prop:s0
 crypto.                 u:object_r:vold_prop:s0

 # ctl properties
+ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_               u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
 ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
 ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -38,7 +38,7 @@ allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;

 # Set properties.
 allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
+allow surfaceflinger ctl_bootanim_prop:property_service set;

 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;

--- a/vold.te
+++ b/vold.te
@@ -65,7 +65,7 @@ allow vold kernel:process setsched;
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
-allow vold ctl_default_prop:property_service set;
+allow vold ctl_fuse_prop:property_service set;

 # ASEC
 allow vold asec_image_file:file create_file_perms;