Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4de238e9b999f91a86d130638a8b70d306363bf9^! / .
commit4de238e9b999f91a86d130638a8b70d306363bf9[log] [tgz]
authorJaekyun Seok <jaekyun@google.com>Fri Apr 06 03:32:58 2018 +0900
committerJaekyun Seok <jaekyun@google.com>Mon Apr 16 06:18:24 2018 +0000
tree47bf16d2c81db7736b74743a009b90f67f65497a
parentba890071786e90500a67711fc4379f7afc02addb [diff]
Allow dumpstate to read property_type

dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee

diff --git a/public/domain.te b/public/domain.te
index 31345be..41e0903 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -560,7 +560,7 @@
 } serialno_prop:file r_file_perms;
 
 # Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
 
 neverallow {
   domain

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0fad5e1..8807157 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -232,16 +232,8 @@
 # dumpstate_options_prop is used to pass extra command-line args.
 set_prop(dumpstate, dumpstate_options_prop)
 
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(dumpstate, bootloader_boot_reason_prop)
-get_prop(dumpstate, last_boot_reason_prop)
-get_prop(dumpstate, system_boot_reason_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
 
 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its

diff --git a/public/netd.te b/public/netd.te
index 545ad7c..7262072 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -141,7 +141,7 @@
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
 # leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
 
 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.