commit 3b82aec2042a77ed0ea2ce0dd854b7b6ab22d14c
author Inseob Kim <inseob@google.com> Thu May 14 01:38:40 2020 +0900
committer Inseob Kim <inseob@google.com> Tue May 19 10:39:20 2020 +0900
tree e8e86ae08ca7f43d2bf741aeae8c2de730f92b2b
parent 19eab1a117a3da4146b9abd8fc961d2965db9351

Move props out of exported3_system_prop

This is to remove bad context name "exported3_system_prop".

- persist.sys.device_provisioned -> provisioned_prop
- sys.retaildemo.enabled -> retaildemo_prop

Bug: 154885206
Test: boot device and see no denials
Change-Id: Ia19a19d93d0689deb56d66fe0b039ace44e4836f

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 3d649a0..2dd0265 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -18,8 +18,9 @@
     apexd_prop
     apexd_tmpfs
     app_zygote
-    audio_config_prop
+    art_apex_dir
     atrace
+    audio_config_prop
     binder_calls_stats_service
     biometric_service
     blank_screen
@@ -134,10 +135,11 @@
     perfetto_tmpfs
     perfetto_traces_data_file
     property_info
+    provisioned_prop
     recovery_socket
+    retaildemo_prop
     role_service
     runas_app
-    art_apex_dir
     runtime_service
     secure_element
     secure_element_device

private/compat/30.0/30.0.cil

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 973d580..481cbe3 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1361,7 +1361,11 @@
     media_config_prop
     zram_config_prop))
 (typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_30_0 (exported3_system_prop boot_status_prop))
+(typeattributeset exported3_system_prop_30_0
+  ( exported3_system_prop
+    boot_status_prop
+    provisioned_prop
+    retaildemo_prop))
 (typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
 (typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
 (typeattributeset exported_camera_prop_30_0 (exported_camera_prop))

private/property.te

diff --git a/private/property.te b/private/property.te
index fd8ea3b..f4225c2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -368,3 +368,19 @@
   usb_config_prop
   usb_control_prop
 }:property_service set;
+
+neverallow {
+  -init
+  -system_server
+} {
+  provisioned_prop
+  retaildemo_prop
+}:property_service set;
+
+neverallow {
+  -coredomain
+  -vendor_init
+} {
+  provisioned_prop
+  retaildemo_prop
+}:file no_rw_file_perms;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index cfcfd5e..c1a7188 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -514,10 +514,12 @@
 dev.bootcomplete   u:object_r:boot_status_prop:s0 exact bool
 sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
 
-persist.sys.device_provisioned  u:object_r:exported3_system_prop:s0 exact string
+persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
+
 persist.sys.theme               u:object_r:theme_prop:s0 exact string
 
-sys.retaildemo.enabled  u:object_r:exported3_system_prop:s0 exact int
+sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
+
 sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
 
 aac_drc_boost            u:object_r:aac_drc_prop:s0 exact int

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index a049696..bd87ead 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -620,6 +620,8 @@
 set_prop(system_server, audio_prop)
 set_prop(system_server, boot_status_prop)
 set_prop(system_server, surfaceflinger_color_prop)
+set_prop(system_server, provisioned_prop)
+set_prop(system_server, retaildemo_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 
 # ctl interface

public/property.te

diff --git a/public/property.te b/public/property.te
index 108c78e..a13a361 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,7 +65,9 @@
 system_restricted_prop(libc_debug_prop)
 system_restricted_prop(module_sdkextensions_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(provisioned_prop)
 system_restricted_prop(restorecon_prop)
+system_restricted_prop(retaildemo_prop)
 system_restricted_prop(socket_hook_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6c9a8b8..a344eaa 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -245,9 +245,11 @@
 get_prop(vendor_init, boot_status_prop)
 get_prop(vendor_init, exported2_radio_prop)
 get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
 get_prop(vendor_init, theme_prop)
 
-get_prop(vendor_init, ota_prop)
 
 ###
 ### neverallow rules