From a6f989241bc3982d4c4ffaae320c63dc6e3f0e87 Mon Sep 17 00:00:00 2001
From: Hongyi Zhang <hongyiz@google.com>
Date: Thu, 25 Oct 2018 20:09:55 -0700
Subject: [PATCH] sepolicy for server configurable flags

Test: manual on device
Change-Id: Ibafe1b345489c88a49a7ed3e2e61e5cc5e1880a1
---
 private/compat/26.0/26.0.ignore.cil |  3 +++
 private/compat/27.0/27.0.ignore.cil |  3 +++
 private/compat/28.0/28.0.ignore.cil |  3 +++
 private/file_contexts               |  1 +
 private/flags_health_check.te       |  3 +++
 private/property_contexts           |  3 +++
 public/flags_heatlh_check.te        | 11 +++++++++++
 public/property.te                  |  2 ++
 public/vendor_init.te               |  1 +
 9 files changed, 30 insertions(+)
 create mode 100644 private/flags_health_check.te
 create mode 100644 public/flags_heatlh_check.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 17af59b24..1e3977a35 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -36,6 +36,7 @@
     ctl_interface_start_prop
     ctl_interface_stop_prop
     ctl_sigstop_prop
+    device_config_boot_count_prop
     e2fs
     e2fs_exec
     exfat
@@ -65,6 +66,8 @@
     exported3_system_prop
     fastbootd
     fingerprint_vendor_data_file
+    flags_health_check
+    flags_health_check_exec
     fs_bpf
     fwk_stats_hwservice
     hal_atrace_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 00ee63079..af805dfe2 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -34,6 +34,7 @@
     ctl_interface_start_prop
     ctl_interface_stop_prop
     ctl_sigstop_prop
+    device_config_boot_count_prop
     exfat
     exported2_config_prop
     exported2_default_prop
@@ -60,6 +61,8 @@
     exported_vold_prop
     exported_wifi_prop
     fastbootd
+    flags_health_check
+    flags_health_check_exec
     fingerprint_vendor_data_file
     fs_bpf
     fwk_stats_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index fe17bfaca..6c9fbee98 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,7 +18,10 @@
     biometric_service
     ;; TODO(b/116344577): remove after the issue is resolved
     buffer_hub_service
+    device_config_boot_count_prop
     fastbootd
+    flags_health_check
+    flags_health_check_exec
     fwk_bufferhub_hwservice
     fwk_stats_hwservice
     color_display_service
diff --git a/private/file_contexts b/private/file_contexts
index 6638b4515..ae20f5d06 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -281,6 +281,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
new file mode 100644
index 000000000..fb41aff79
--- /dev/null
+++ b/private/flags_health_check.te
@@ -0,0 +1,3 @@
+typeattribute flags_health_check coredomain;
+
+init_daemon_domain(flags_health_check)
diff --git a/private/property_contexts b/private/property_contexts
index 58cc9832b..dff3cf878 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -161,3 +161,6 @@ ro.boot.                u:object_r:exported2_default_prop:s0
 
 # Properties that relate to time / time zone detection behavior.
 persist.time.           u:object_r:time_prop:s0
+
+# Properties that relate to server configurable flags
+persist.device_config.attempted_boot_count        u:object_r:device_config_boot_count_prop:s0
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
new file mode 100644
index 000000000..1f6c8ee57
--- /dev/null
+++ b/public/flags_heatlh_check.te
@@ -0,0 +1,11 @@
+# The flags_health_check command run by init.
+type flags_health_check, domain, coredomain;
+type flags_health_check_exec, system_file_type, exec_type, file_type;
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 0457300e0..66e823afa 100644
--- a/public/property.te
+++ b/public/property.te
@@ -25,6 +25,7 @@ type dalvik_prop, property_type, core_property_type;
 type debuggerd_prop, property_type, core_property_type;
 type debug_prop, property_type, core_property_type;
 type default_prop, property_type, core_property_type;
+type device_config_boot_count_prop, property_type;
 type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
@@ -387,6 +388,7 @@ compatible_property_only(`
     -ffs_prop
     -fingerprint_prop
     -firstboot_prop
+    -device_config_boot_count_prop
     -hwservicemanager_prop
     -last_boot_reason_prop
     -system_lmk_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c5cad47b0..c9aa0f211 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -173,6 +173,7 @@ recovery_only(`
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type
+      -device_config_boot_count_prop
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop
-- 
GitLab