Move net.dns* to it's own label.

Move net.dns* from net_radio_prop to the newly created label net_dns_prop. This allows finer grain control over this specific property. Prior to this change, this property was readable to all SELinux domains, and writable by the following SELinux domains: * system_server * system_app (apps which run as UID=system) * netmgrd * radio This change: 1) Removes read access to this property to everyone EXCEPT untrusted_app and system_server. 2) Limit write access to system_server. In particular, this change removes read access to priv_apps. Any priv_app which ships with the system should not be reading this property. Bug: 34115651 Test: Device boots, wifi turns on, no problems browsing the internet Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38

Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label net_dns_prop. This allows finer grain control over this specific property. Prior to this change, this property was readable to all SELinux domains, and writable by the following SELinux domains: * system_server * system_app (apps which run as UID=system) * netmgrd * radio This change: 1) Removes read access to this property to everyone EXCEPT untrusted_app and system_server. 2) Limit write access to system_server. In particular, this change removes read access to priv_apps. Any priv_app which ships with the system should not be reading this property. Bug: 34115651 Test: Device boots, wifi turns on, no problems browsing the internet Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
4e404290 · Nick Kralevich · 8b63356b · 4e404290 · 4e404290 · 4e404290
Commit 4e404290 authored 8 years ago by Nick Kralevich
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -8,7 +8,7 @@ net.ppp                 u:object_r:net_radio_prop:s0
 net.qmi                 u:object_r:net_radio_prop:s0
 net.lte                 u:object_r:net_radio_prop:s0
 net.cdma                u:object_r:net_radio_prop:s0
-net.dns                 u:object_r:net_radio_prop:s0
+net.dns                 u:object_r:net_dns_prop:s0
 sys.usb.config          u:object_r:system_radio_prop:s0
 ril.                    u:object_r:radio_prop:s0
 ro.ril.                 u:object_r:radio_prop:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -394,6 +394,7 @@ set_prop(system_server, system_prop)
 set_prop(system_server, safemode_prop)
 set_prop(system_server, dhcp_prop)
 set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
 set_prop(system_server, system_radio_prop)
 set_prop(system_server, debug_prop)
 set_prop(system_server, powerctl_prop)

--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,6 +21,10 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app, net_dns_prop)
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)

--- a/public/property.te
+++ b/public/property.te
@@ -28,6 +28,7 @@ type logpersistd_logging_prop, property_type;
 type log_prop, property_type, log_property_type;
 type log_tag_prop, property_type, log_property_type;
 type mmc_prop, property_type;
+type net_dns_prop, property_type;
 type net_radio_prop, property_type, core_property_type;
 type nfc_prop, property_type, core_property_type;
 type overlay_prop, property_type;