Add contexts for init.svc.* props
To remove bad context names "exported*_prop". Other init.svc.*
properties explicitly become system internal prop.
Bug: 155844385
Test: boot and see no denials
Change-Id: I7a3b4103a4cea77035a6e831e3b6a49a45f15a35
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 2dd0265..a55887f 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -100,6 +100,8 @@
heapprofd_socket
incident_helper
incident_helper_exec
+ init_service_status_private_prop
+ init_service_status_prop
iorapd
iorapd_data_file
iorapd_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 481cbe3..ba581d8 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1285,7 +1285,7 @@
(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
(typeattributeset default_android_service_30_0 (default_android_service))
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (default_prop))
+(typeattributeset default_prop_30_0 (default_prop init_service_status_private_prop))
(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
(typeattributeset device_30_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
@@ -1345,6 +1345,7 @@
( exported2_default_prop
aac_drc_prop
build_prop
+ init_service_status_prop
libc_debug_prop))
(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_30_0
diff --git a/private/coredomain.te b/private/coredomain.te
index 887f51a..895507c 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,11 +1,12 @@
-get_prop(coredomain, pm_prop)
+get_prop(coredomain, camera_config_prop)
+get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
-get_prop(coredomain, lmkd_config_prop)
-get_prop(coredomain, camera_config_prop)
get_prop(coredomain, hdmi_config_prop)
-get_prop(coredomain, dalvik_runtime_prop)
-
+get_prop(coredomain, init_service_status_private_prop)
+get_prop(coredomain, init_service_status_prop)
+get_prop(coredomain, lmkd_config_prop)
+get_prop(coredomain, pm_prop)
get_prop(coredomain, usb_config_prop)
get_prop(coredomain, usb_control_prop)
diff --git a/private/property.te b/private/property.te
index ca4dd65..ecbfff3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -7,6 +7,7 @@
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
+system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -385,3 +386,10 @@
provisioned_prop
retaildemo_prop
}:file no_rw_file_perms;
+
+neverallow {
+ -init
+} {
+ init_service_status_private_prop
+ init_service_status_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 3f15983..5188bc7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -542,13 +542,17 @@
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
-init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
-init.svc.console u:object_r:exported2_default_prop:s0 exact string
-init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
-init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
-init.svc.surfaceflinger u:object_r:exported2_default_prop:s0 exact string
-init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
-init.svc.zygote u:object_r:exported2_default_prop:s0 exact string
+# default contexts only accessible by coredomain
+init.svc. u:object_r:init_service_status_private_prop:s0 exact string
+
+# vendor-init-readable init service props
+init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
+init.svc.console u:object_r:init_service_status_prop:s0 exact string
+init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
+init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
diff --git a/public/property.te b/public/property.te
index a13a361..8229ce8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -62,6 +62,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_prop)
system_restricted_prop(fingerprint_prop)
+system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a344eaa..5cf085d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -245,6 +245,7 @@
get_prop(vendor_init, boot_status_prop)
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, init_service_status_prop)
get_prop(vendor_init, ota_prop)
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)