Move net.dns* to it's own label.
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.
Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:
* system_server
* system_app (apps which run as UID=system)
* netmgrd
* radio
This change:
1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.
In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.
Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
diff --git a/private/property_contexts b/private/property_contexts
index 552c6b5..7845505 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -8,7 +8,7 @@
net.qmi u:object_r:net_radio_prop:s0
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index d0483f5..30fe3e2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -394,6 +394,7 @@
set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
set_prop(system_server, system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c0d2b93..b6a80da 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,6 +21,10 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app, net_dns_prop)
+
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)