Support fine grain read access control for properties

Properties are now broken up from a single /dev/__properties__ file into multiple files, one per property label. This commit provides the mechanism to control read access to each of these files and therefore sets of properties. This allows full access for all domains to each of these new property files to match the current permissions of /dev/__properties__. Future commits will restrict the access. Bug: 21852512 Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into multiple files, one per property label. This commit provides the mechanism to control read access to each of these files and therefore sets of properties. This allows full access for all domains to each of these new property files to match the current permissions of /dev/__properties__. Future commits will restrict the access. Bug: 21852512 Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
949d7cbc · Tom Cherry · 8ff6a86d · 949d7cbc · 949d7cbc · 949d7cbc
Commit 949d7cbc authored 9 years ago by Tom Cherry
--- a/device.te
+++ b/device.te
@@ -54,6 +54,7 @@ type usbaccessory_device, dev_type, mlstrustedobject;
 type usb_device, dev_type, mlstrustedobject;
 type klog_device, dev_type;
 type properties_device, dev_type;
+type properties_serial, dev_type;
 type i2c_device, dev_type;

 # All devices have a uart for the hci

--- a/domain.te
+++ b/domain.te
@@ -76,7 +76,14 @@ allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
 allow domain init:key search;
 allow domain vold:key search;


--- a/file.te
+++ b/file.te
@@ -192,6 +192,9 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;

+# property_contexts file
+type property_contexts, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;

--- a/file_contexts
+++ b/file_contexts
@@ -34,7 +34,7 @@

 # SELinux policy files
 /file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts  u:object_r:rootfs:s0
+/property_contexts  u:object_r:property_contexts:s0
 /seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
 /service_contexts   u:object_r:rootfs:s0

--- a/init.te
+++ b/init.te
@@ -14,8 +14,9 @@ allow init tmpfs:chr_file create_file_perms;
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };

 # setrlimit
 allow init self:capability sys_resource;

--- a/property.te
+++ b/property.te
@@ -30,3 +30,5 @@ type powerctl_prop, property_type;
 type nfc_prop, property_type;
 type dalvik_prop, property_type;
 type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
--- a/te_macros
+++ b/te_macros
@@ -152,6 +152,15 @@ __unix_socket_connect__($1, property, init)
 allow $1 $2:property_service set;
 ')

+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via