Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 072b01438e02e9d3cfba04c768e7a440549cc8b1^! / .
commit072b01438e02e9d3cfba04c768e7a440549cc8b1[log] [tgz]
authorInseob Kim <inseob@google.com>Tue Jun 16 20:00:41 2020 +0900
committerInseob Kim <inseob@google.com>Fri Jun 19 12:12:35 2020 +0900
treeceb26dc9c92030e59f09710b415f9b795f49dc2a
parent24364492c6491ed78c489c1e16960aad30fcf450 [diff]
Add new context packagemanager_config_prop

To remove bad context names exported[23]_default_prop

Bug: 155844385
Test: m selinux_policy
Change-Id: Ic4bbc8e45d810368a96f6985c2234798e73be82d

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index c35edcc..a4b552d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil

@@ -134,6 +134,7 @@
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
+    packagemanager_config_prop
     perfetto
     perfetto_exec
     perfetto_tmpfs

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 70e875b..d5ddbbf 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil

@@ -1362,6 +1362,7 @@
     hdmi_config_prop
     lmkd_config_prop
     media_config_prop
+    packagemanager_config_prop
     recovery_config_prop
     telephony_config_prop
     zram_config_prop))

diff --git a/private/property.te b/private/property.te
index b5505e5..6591a9c 100644
--- a/private/property.te
+++ b/private/property.te

@@ -414,3 +414,10 @@
   surfaceflinger_display_prop
 }:property_service set;
 
+neverallow {
+  -init
+  -dumpstate
+  -system_server
+  -vendor_init
+  -zygote
+} packagemanager_config_prop:file no_rw_file_perms;

diff --git a/private/property_contexts b/private/property_contexts
index 1380acc..991e89d 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -396,9 +396,8 @@
 
 ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
 
-ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
-
-ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
+ro.cp_system_other_odex        u:object_r:packagemanager_config_prop:s0 exact bool
 
 ro.crypto.allow_encrypt_override                u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int

diff --git a/private/system_server.te b/private/system_server.te
index 88e7228..7fe6f0b 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -694,6 +694,9 @@
 # Read/write persist.sys.dalvik.vm.lib.2
 set_prop(system_server, dalvik_runtime_prop)
 
+# Read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(system_server, packagemanager_config_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 

diff --git a/private/zygote.te b/private/zygote.te
index b1e2378..07154b0 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -200,6 +200,9 @@
 # Allow zygote to access media_variant_prop for static initialization
 get_prop(zygote, media_variant_prop)
 
+# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(zygote, packagemanager_config_prop)
+
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
 

diff --git a/public/property.te b/public/property.te
index ea517cd..038eb41 100644
--- a/public/property.te
+++ b/public/property.te

@@ -122,6 +122,7 @@
 system_vendor_config_prop(lmkd_config_prop)
 system_vendor_config_prop(media_config_prop)
 system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(packagemanager_config_prop)
 system_vendor_config_prop(recovery_config_prop)
 system_vendor_config_prop(storage_config_prop)
 system_vendor_config_prop(surfaceflinger_prop)