commit 6ffdf1b001b7e9ad20a40ed467e851ca40ad86ad
author Inseob Kim <inseob@google.com> Tue Jun 16 20:00:41 2020 +0900
committer Inseob Kim <inseob@google.com> Fri Jun 19 17:47:19 2020 +0900
tree 60a88908f1f7d14e08c2c9442d4a8e3b7e65cd45
parent 832e17b6951490850c006c3ab535983637707c3c

Add new context packagemanager_config_prop

To remove bad context names exported[23]_default_prop

Bug: 155844385
Test: m selinux_policy
Change-Id: Ic4bbc8e45d810368a96f6985c2234798e73be82d
Merged-In: Ic4bbc8e45d810368a96f6985c2234798e73be82d
(cherry picked from commit 072b01438e02e9d3cfba04c768e7a440549cc8b1)

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ceac1dd..4032646 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -136,6 +136,7 @@
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
+    packagemanager_config_prop
     perfetto
     perfetto_exec
     perfetto_tmpfs

private/compat/30.0/30.0.cil

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 3a1c1f2..9810e2f 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1364,6 +1364,7 @@
     lmkd_config_prop
     media_config_prop
     mediadrm_config_prop
+    packagemanager_config_prop
     recovery_config_prop
     telephony_config_prop
     zram_config_prop))

private/property.te

diff --git a/private/property.te b/private/property.te
index 1aa4ddf..eb09f4f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -406,3 +406,11 @@
 } {
   graphics_config_prop
 }:property_service set;
+
+neverallow {
+  -init
+  -dumpstate
+  -system_server
+  -vendor_init
+  -zygote
+} packagemanager_config_prop:file no_rw_file_perms;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index b73ba1a..1050aeb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -394,9 +394,8 @@
 
 ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
 
-ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
-
-ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
+ro.cp_system_other_odex        u:object_r:packagemanager_config_prop:s0 exact bool
 
 ro.crypto.allow_encrypt_override                u:object_r:vold_config_prop:s0 exact bool
 ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 88e7228..7fe6f0b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -694,6 +694,9 @@
 # Read/write persist.sys.dalvik.vm.lib.2
 set_prop(system_server, dalvik_runtime_prop)
 
+# Read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(system_server, packagemanager_config_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index b1e2378..07154b0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -200,6 +200,9 @@
 # Allow zygote to access media_variant_prop for static initialization
 get_prop(zygote, media_variant_prop)
 
+# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(zygote, packagemanager_config_prop)
+
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;