Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b3893f90bf6bc67de232ddc44123974d36770ef^! / .
commit4b3893f90bf6bc67de232ddc44123974d36770ef[log] [tgz]
authorRobert Craig <rpcraig@tycho.ncsc.mil>Tue Feb 18 13:24:26 2014 -0500
committerRobert Craig <rpcraig@tycho.ncsc.mil>Tue Mar 25 13:36:50 2014 -0400
treefafcc28fe39efc6512d928eb62fce07c6f8aed83
parent18f2b80e6279a7642ed307f613281411955f699a [diff]
Replace ctl_default_prop access with explicit service property keys.

The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

diff --git a/netd.te b/netd.te
index 5020898..46cc436 100644
--- a/netd.te
+++ b/netd.te

@@ -56,9 +56,7 @@
 domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;
 
-# Support netd running mdnsd
-# TODO: prune this back further
-allow netd ctl_default_prop:property_service set;
+allow netd ctl_mdnsd_prop:property_service set;
 
 ###
 ### Neverallow rules

diff --git a/property.te b/property.te
index c1dc254..6f2b280 100644
--- a/property.te
+++ b/property.te

@@ -6,8 +6,11 @@
 type system_prop, property_type;
 type vold_prop, property_type;
 type rild_prop, property_type;
+type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_mdnsd_prop, property_type;
 type ctl_rildaemon_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type audio_prop, property_type;

diff --git a/property_contexts b/property_contexts
index 08874c5..aedf60c 100644
--- a/property_contexts
+++ b/property_contexts

@@ -52,7 +52,10 @@
 crypto.                 u:object_r:vold_prop:s0
 
 # ctl properties
+ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_               u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
 ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
 ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0

diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5ecfd18..20fef95 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -38,7 +38,7 @@
 
 # Set properties.
 allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
+allow surfaceflinger ctl_bootanim_prop:property_service set;
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;

diff --git a/vold.te b/vold.te
index cc70e8a..b76be76 100644
--- a/vold.te
+++ b/vold.te

@@ -65,7 +65,7 @@
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
-allow vold ctl_default_prop:property_service set;
+allow vold ctl_fuse_prop:property_service set;
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;