microdroid: Narrow property permissions
microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.
Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 2ebf9d8..1212840 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -42,3 +42,12 @@
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+
+set_prop(adbd, shell_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+
+# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
+# TODO(b/200902288): patch adb and remove this rule
+dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 621b1a8..bf67e4c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -85,3 +85,12 @@
#-------------------------------------------
allow apexd kmsg_device:chr_file w_file_perms;
+
+# apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index fd9fa47..8368bea 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -218,16 +218,17 @@
allow domain self:global_capability_class_set audit_control;
allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-# workaround for suppressing property accesses.
-# TODO(b/199007910): remove these
-set_prop(domain, {
- property_type
- -default_prop
- -vmsecret_keymint_prop
- -microdroid_manager_roothash_prop
-})
-#auditallow { domain -default_prop -init } property_type:property_service set;
-#auditallow { domain -default_prop -init } property_type:file rw_file_perms;
+# globally readable properties
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, log_tag_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, property_service_version_prop)
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
@@ -266,3 +267,6 @@
# tests (b/114136122)
domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+
+# Properties that microdroid doesn't have but some still want to read.
+dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
index 5f2afb3..f9b15f0 100644
--- a/microdroid/system/private/halclientdomain.te
+++ b/microdroid/system/private/halclientdomain.te
@@ -8,3 +8,5 @@
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
+
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
index 17456db..88b9e89 100644
--- a/microdroid/system/private/hwservicemanager.te
+++ b/microdroid/system/private/hwservicemanager.te
@@ -23,3 +23,5 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
index be211a3..ee10910 100644
--- a/microdroid/system/private/keystore.te
+++ b/microdroid/system/private/keystore.te
@@ -16,3 +16,5 @@
# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
+
+set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 0cc6e96..fa1cb40 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,3 +41,6 @@
allow logd ueventd:file { getattr open read };
control_logd(logd)
read_runtime_log_tags(logd)
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index e78d4dc..f7212f2 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -49,7 +49,8 @@
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
-# Allow microdroid_manager to start the services apkdmverity and zipfuse
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 58942b6..799ac3c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,11 @@
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_console_prop
+ ctl_default_prop
+ ctl_fuse_prop
+}:property_service set;
+
###
### Neverallow rules
###
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 3c6d248..93ba1b5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,8 +1,10 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed here.
-# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
+# microdroid only uses much fewer properties than normal Android, so every property is listed as
+# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
+# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
-debug. u:object_r:debug_prop:s0 prefix
+debug. u:object_r:debug_prop:s0 prefix
+persist.debug. u:object_r:debug_prop:s0 prefix
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
@@ -21,12 +23,13 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
-ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
@@ -136,3 +139,18 @@
service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
+
+log.tag. u:object_r:log_tag_prop:s0 prefix
+persist.log.tag. u:object_r:log_tag_prop:s0 prefix
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+ro.vndk.version u:object_r:build_prop:s0 exact string
+
+heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d014af5..5dad3c1 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -23,3 +23,5 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
add_service(servicemanager, service_manager_service)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 3bb879d..aaebf68 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -33,3 +33,9 @@
# Test tool automatically tries to access /sys/class/power_supply.
# Suppressing it as we don't need power_supply in microdroid.
dontaudit shell sysfs:dir r_dir_perms;
+
+# Test tool tries to read various service status properties.
+get_prop(shell, init_service_status_prop)
+get_prop(shell, init_service_status_private_prop)
+
+set_prop(shell, log_tag_prop)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 4ff417b..8524c18 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -52,3 +52,6 @@
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
+
+# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)