From 6f3e73db0599f09ae5abaebc25bb9f2335482f88 Mon Sep 17 00:00:00 2001
From: Jaekyun Seok <jaekyun@google.com>
Date: Fri, 16 Mar 2018 08:10:37 +0900
Subject: [PATCH] Allow only public-readable to ro.secure and ro.adb.secure

Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4a2b7b95a58cbd3d7dddf94870405192b)
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 public/domain.te                    | 4 +++-
 public/property.te                  | 1 +
 public/property_contexts            | 3 ++-
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f293d0808..e58d18445 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -24,6 +24,7 @@
     exported_overlay_prop
     exported_pm_prop
     exported_radio_prop
+    exported_secure_prop
     exported_system_prop
     exported_system_radio_prop
     exported_vold_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ed6f8bffd..2cdcca5bd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -27,6 +27,7 @@
     exported_overlay_prop
     exported_pm_prop
     exported_radio_prop
+    exported_secure_prop
     exported_system_prop
     exported_system_radio_prop
     exported_vold_prop
diff --git a/public/domain.te b/public/domain.te
index c46d6fa87..5728a5462 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -131,6 +131,7 @@ get_prop(domain, exported_default_prop)
 get_prop(domain, exported_dumpstate_prop)
 get_prop(domain, exported_fingerprint_prop)
 get_prop(domain, exported_radio_prop)
+get_prop(domain, exported_secure_prop)
 get_prop(domain, exported_system_prop)
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
@@ -524,7 +525,8 @@ compatible_property_only(`
     neverallow { domain -init } default_prop:property_service set;
     neverallow { domain -init } mmc_prop:property_service set;
     neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
+    neverallow { domain -init } exported_secure_prop:property_service set;
+    neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
     neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
 ')
diff --git a/public/property.te b/public/property.te
index cb839c955..a099e87b6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -20,6 +20,7 @@ type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
 type dumpstate_prop, property_type, core_property_type;
+type exported_secure_prop, property_type;
 type ffs_prop, property_type, core_property_type;
 type fingerprint_prop, property_type, core_property_type;
 type firstboot_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index a3702c3e2..d4d0ab9ee 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -74,7 +74,6 @@ pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-ro.adb.secure u:object_r:exported3_default_prop:s0 exact int
 ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
 ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
 ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
@@ -136,6 +135,7 @@ libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
 libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
 libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
 persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
 ro.arch u:object_r:exported2_default_prop:s0 exact string
 ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
 ro.baseband u:object_r:exported2_default_prop:s0 exact string
@@ -188,6 +188,7 @@ ro.product.model u:object_r:exported2_default_prop:s0 exact string
 ro.product.name u:object_r:exported2_default_prop:s0 exact string
 ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
 ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.secure u:object_r:exported_secure_prop:s0 exact int
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
 sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
 vold.decrypt u:object_r:exported_vold_prop:s0 exact string
-- 
GitLab