Support for more binder caches
Bug: 140788621
This adds keys for several planned binder caches in the system server
and in the bluetooth server. The actual cache code is not in this
tree.
Test: created a test build that contains the actual cache code and ran
some system tests. Verified that no protection issues were seen.
Change-Id: Ibaccb0c0ff8b127d14cf769ea4156f7d8b024bc1
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b96fc58..1680361 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -40,6 +40,9 @@
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
+set_prop(bluetooth, binder_cache_bluetooth_server_prop);
+neverallow { domain -bluetooth -init }
+ binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 76a8c6b..e1a468b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -15,6 +15,7 @@
auth_service
ashmem_libcutils_device
blob_store_service
+ binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
binderfs
binderfs_logs
diff --git a/public/domain.te b/public/domain.te
index feb0435..41676ff 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -107,7 +107,8 @@
get_prop(domain, logd_prop)
get_prop(domain, vndk_prop)
-# Allow every to read binder cache properties
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
diff --git a/public/property.te b/public/property.te
index 7a1e4dd..45ebe25 100644
--- a/public/property.te
+++ b/public/property.te
@@ -150,6 +150,7 @@
system_public_prop(wifi_prop)
# Properties used by binder caches
+system_public_prop(binder_cache_bluetooth_server_prop)
system_public_prop(binder_cache_system_server_prop)
# Properties which are public for devices launching with Android O or earlier
@@ -555,10 +556,11 @@
property_type
-apexd_prop
-audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_system_server_prop
-bluetooth_a2dp_offload_prop
-bluetooth_audio_hal_prop
-bluetooth_prop
- -binder_cache_system_server_prop
-bootloader_boot_reason_prop
-boottime_prop
-bpf_progs_loaded_prop
diff --git a/public/property_contexts b/public/property_contexts
index 0a000ec..f3dc51f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -441,6 +441,13 @@
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
+cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a20bf2..c2baed7 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,6 +198,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -binder_cache_bluetooth_server_prop
-binder_cache_system_server_prop
-device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop