From 949d7cbc29c1a658f00b966a81fd3f710c065fec Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Tue, 1 Dec 2015 16:58:27 -0800
Subject: [PATCH] Support fine grain read access control for properties

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
---
 device.te     | 1 +
 domain.te     | 9 ++++++++-
 file.te       | 3 +++
 file_contexts | 2 +-
 init.te       | 5 +++--
 property.te   | 2 ++
 te_macros     | 9 +++++++++
 7 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/device.te b/device.te
index b1b4582f7..6457017d3 100644
--- a/device.te
+++ b/device.te
@@ -54,6 +54,7 @@ type usbaccessory_device, dev_type, mlstrustedobject;
 type usb_device, dev_type, mlstrustedobject;
 type klog_device, dev_type;
 type properties_device, dev_type;
+type properties_serial, dev_type;
 type i2c_device, dev_type;
 
 # All devices have a uart for the hci
diff --git a/domain.te b/domain.te
index 2d11bf7fb..02b884f15 100644
--- a/domain.te
+++ b/domain.te
@@ -76,7 +76,14 @@ allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
 allow domain init:key search;
 allow domain vold:key search;
 
diff --git a/file.te b/file.te
index 1d444dd65..9251741e5 100644
--- a/file.te
+++ b/file.te
@@ -192,6 +192,9 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# property_contexts file
+type property_contexts, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index a74f8f86a..152dfb4ae 100644
--- a/file_contexts
+++ b/file_contexts
@@ -34,7 +34,7 @@
 
 # SELinux policy files
 /file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts  u:object_r:rootfs:s0
+/property_contexts  u:object_r:property_contexts:s0
 /seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
 /service_contexts   u:object_r:rootfs:s0
diff --git a/init.te b/init.te
index e6c782584..d07c5a7b6 100644
--- a/init.te
+++ b/init.te
@@ -14,8 +14,9 @@ allow init tmpfs:chr_file create_file_perms;
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
 
 # setrlimit
 allow init self:capability sys_resource;
diff --git a/property.te b/property.te
index 07b50911e..9e97b6027 100644
--- a/property.te
+++ b/property.te
@@ -30,3 +30,5 @@ type powerctl_prop, property_type;
 type nfc_prop, property_type;
 type dalvik_prop, property_type;
 type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
diff --git a/te_macros b/te_macros
index 1936ffbc2..37b33a90b 100644
--- a/te_macros
+++ b/te_macros
@@ -152,6 +152,15 @@ __unix_socket_connect__($1, property, init)
 allow $1 $2:property_service set;
 ')
 
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via
-- 
GitLab