Add new context packagemanager_config_prop
To remove bad context names exported[23]_default_prop
Bug: 155844385
Test: m selinux_policy
Change-Id: Ic4bbc8e45d810368a96f6985c2234798e73be82d
Merged-In: Ic4bbc8e45d810368a96f6985c2234798e73be82d
(cherry picked from commit 072b01438e02e9d3cfba04c768e7a440549cc8b1)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ceac1dd..4032646 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -136,6 +136,7 @@
network_watchlist_data_file
network_watchlist_service
overlayfs_file
+ packagemanager_config_prop
perfetto
perfetto_exec
perfetto_tmpfs
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 3a1c1f2..9810e2f 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1364,6 +1364,7 @@
lmkd_config_prop
media_config_prop
mediadrm_config_prop
+ packagemanager_config_prop
recovery_config_prop
telephony_config_prop
zram_config_prop))
diff --git a/private/property.te b/private/property.te
index 1aa4ddf..eb09f4f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -406,3 +406,11 @@
} {
graphics_config_prop
}:property_service set;
+
+neverallow {
+ -init
+ -dumpstate
+ -system_server
+ -vendor_init
+ -zygote
+} packagemanager_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index b73ba1a..1050aeb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -394,9 +394,8 @@
ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
-
-ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
+ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index 88e7228..7fe6f0b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -694,6 +694,9 @@
# Read/write persist.sys.dalvik.vm.lib.2
set_prop(system_server, dalvik_runtime_prop)
+# Read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(system_server, packagemanager_config_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index b1e2378..07154b0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -200,6 +200,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(zygote, packagemanager_config_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/property.te b/public/property.te
index b6701e5..704c58d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -122,6 +122,7 @@
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(surfaceflinger_prop)