commit 4eca81948385e18aa44af2135e01ef998cb9f3bf
author Daniel Norman <danielnorman@google.com> Thu Jul 25 11:29:17 2019 -0700
committer Daniel Norman <danielnorman@google.com> Fri Aug 02 10:27:15 2019 -0700
tree 7b6e6980bc5601c93d14061ae260ad982a5f1086
parent 2765c29befca9a35a123581b8f7b998cfb327638

Adds new policy for init_svc_debug_prop.

Used to restrict properties init.svc_debug_pid.*

Bug: 138114550
Test: getprop | grep init.svc_debug_pid  only shows results on root
Change-Id: I0c10699deec4c548a2463a934e96b897ddee1678

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 83c8eee..5a9706a 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -12,6 +12,7 @@
     device_config_sys_traced_prop
     hal_can_bus_hwservice
     hal_can_controller_hwservice
+    init_svc_debug_prop
     ota_metadata_file
     runtime_apex_dir
     system_ashmem_hwservice

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index c31940c..254c55a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -35,6 +35,7 @@
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
 dumpstate.options       u:object_r:dumpstate_options_prop:s0
+init.svc_debug_pid.     u:object_r:init_svc_debug_prop:s0
 llk.                    u:object_r:llkd_prop:s0
 khungtask.              u:object_r:llkd_prop:s0
 ro.llk.                 u:object_r:llkd_prop:s0

public/property.te

diff --git a/public/property.te b/public/property.te
index fa397d7..1bac613 100644
--- a/public/property.te
+++ b/public/property.te
@@ -55,6 +55,7 @@
 type heapprofd_enabled_prop, property_type;
 type heapprofd_prop, property_type;
 type hwservicemanager_prop, property_type;
+type init_svc_debug_prop, property_type;
 type last_boot_reason_prop, property_type;
 type system_lmk_prop, property_type;
 type llkd_prop, property_type;
@@ -190,6 +191,18 @@
   ctl_rildaemon_prop
 }:property_service set;
 
+neverallow {
+  domain
+  -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -dumpstate
+  userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
 compatible_property_only(`
 # Prevent properties from being set
   neverallow {

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3312ff8..da3651d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -217,6 +217,7 @@
       -apexd_prop
       -gsid_prop
       -nnapi_ext_deny_product_prop
+      -init_svc_debug_prop
     })
 ')