Relabel ro.build. properties
- exported_fingerprint_prop is deleted
- other ro.build. properties become build_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: Ic1194e8e7c23394e5a7c6176f9f9598109bb5fb7
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e6b9f4f..520bb02 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -30,6 +30,7 @@
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
+ build_prop
camera_config_prop
cgroup_bpf
charger_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 766518b..0a21e03 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2,6 +2,7 @@
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
+(type exported_fingerprint_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
@@ -285,7 +286,6 @@
(expandtypeattribute (ffs_prop_30_0) true)
(expandtypeattribute (file_contexts_file_30_0) true)
(expandtypeattribute (file_integrity_service_30_0) true)
-(expandtypeattribute (fingerprint_prop_30_0) true)
(expandtypeattribute (fingerprint_service_30_0) true)
(expandtypeattribute (fingerprint_vendor_data_file_30_0) true)
(expandtypeattribute (fingerprintd_30_0) true)
@@ -1342,6 +1342,7 @@
(typeattributeset exported2_default_prop_30_0
( exported2_default_prop
aac_drc_prop
+ build_prop
libc_debug_prop))
(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_30_0
@@ -1367,7 +1368,7 @@
( exported_ffs_prop
ffs_config_prop
ffs_control_prop))
-(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop))
+(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop))
(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop))
(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
(typeattributeset exported_radio_prop_30_0 (exported_radio_prop))
@@ -1383,7 +1384,6 @@
(typeattributeset ffs_prop_30_0 (ffs_prop))
(typeattributeset file_contexts_file_30_0 (file_contexts_file))
(typeattributeset file_integrity_service_30_0 (file_integrity_service))
-(typeattributeset fingerprint_prop_30_0 (fingerprint_prop))
(typeattributeset fingerprint_service_30_0 (fingerprint_service))
(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file))
(typeattributeset fingerprintd_30_0 (fingerprintd))
diff --git a/private/property.te b/private/property.te
index 4bd7e1a..d634d29 100644
--- a/private/property.te
+++ b/private/property.te
@@ -136,7 +136,6 @@
exported_config_prop
exported_default_prop
exported_dumpstate_prop
- exported_fingerprint_prop
exported_system_prop
exported_system_radio_prop
exported2_default_prop
diff --git a/private/property_contexts b/private/property_contexts
index 9fdcb1a..20dcef7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -112,7 +112,7 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
@@ -585,31 +585,30 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.build.date u:object_r:exported2_default_prop:s0 exact string
-ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
-ro.build.description u:object_r:exported2_default_prop:s0 exact string
-ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
-ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
-ro.build.host u:object_r:exported2_default_prop:s0 exact string
-ro.build.id u:object_r:exported2_default_prop:s0 exact string
-ro.build.product u:object_r:exported2_default_prop:s0 exact string
-ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
-ro.build.tags u:object_r:exported2_default_prop:s0 exact string
-ro.build.user u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
-ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
-ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.debuggable u:object_r:build_prop:s0 exact bool
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
-ro.debuggable u:object_r:exported2_default_prop:s0 exact int
-
ro.hardware u:object_r:exported2_default_prop:s0 exact string
ro.product.brand u:object_r:exported2_default_prop:s0 exact string
diff --git a/private/system_server.te b/private/system_server.te
index e9f57f1..db8bdc9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -610,7 +610,6 @@
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
-set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
diff --git a/public/domain.te b/public/domain.te
index 2e17f42..038079d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -94,15 +94,16 @@
allow domain property_info:file r_file_perms;
# Public readable properties
+get_prop(domain, build_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_fingerprint_prop)
get_prop(domain, exported_radio_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, exported2_default_prop)
+get_prop(domain, fingerprint_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
get_prop(domain, socket_hook_prop)
@@ -542,6 +543,7 @@
')
neverallow { domain -init } aac_drc_prop:property_service set;
+neverallow { domain -init } build_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few whitelisted domains.
diff --git a/public/property.te b/public/property.te
index 50ef6a2..1840fcf 100644
--- a/public/property.te
+++ b/public/property.te
@@ -61,6 +61,8 @@
system_restricted_prop(boot_status_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
+system_restricted_prop(build_prop)
+system_restricted_prop(fingerprint_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
@@ -84,9 +86,7 @@
system_restricted_prop(exported2_default_prop)
system_restricted_prop(exported3_system_prop)
system_restricted_prop(exported_dumpstate_prop)
- system_restricted_prop(exported_fingerprint_prop)
system_restricted_prop(exported_secure_prop)
- system_restricted_prop(fingerprint_prop)
system_restricted_prop(heapprofd_prop)
system_restricted_prop(net_radio_prop)
system_restricted_prop(pan_result_prop)
@@ -217,9 +217,7 @@
system_public_prop(exported2_default_prop)
system_public_prop(exported3_system_prop)
system_public_prop(exported_dumpstate_prop)
- system_public_prop(exported_fingerprint_prop)
system_public_prop(exported_secure_prop)
- system_public_prop(fingerprint_prop)
system_public_prop(heapprofd_prop)
system_public_prop(net_radio_prop)
system_public_prop(pan_result_prop)
@@ -256,7 +254,6 @@
typeattribute default_prop core_property_type;
typeattribute dhcp_prop core_property_type;
typeattribute dumpstate_prop core_property_type;
-typeattribute fingerprint_prop core_property_type;
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;