Add selinux rules for userspace reboot related properties
By default sys.init.userspace_reboot.* properties are internal to
/system partition. Only exception is
sys.init.userspace_reboot.in_progress which signals to all native
services (including vendor ones) that userspace reboot is happening,
hence it should be a system_public_prop.
Only init should be allowed to set userspace reboot related properties.
Bug: 135984674
Test: builds
Test: adb reboot userspace
Change-Id: Ibb04965be2d5bf6e81b34569aaaa1014ff61e0d3
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 33678b0..6bfa4b7 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -31,6 +31,8 @@
system_group_file
system_passwd_file
timezonedetector_service
+ userspace_reboot_prop
+ userspace_reboot_exported_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
diff --git a/private/domain.te b/private/domain.te
index 5851d75..ce2d900 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain shell}, userspace_reboot_exported_prop)
+ get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
diff --git a/private/init.te b/private/init.te
index 374b207..3edd021 100644
--- a/private/init.te
+++ b/private/init.te
@@ -32,3 +32,9 @@
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_prop)
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_prop:property_service set;
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 16c8d93..ff79c34 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
diff --git a/public/property.te b/public/property.te
index d417628..f2e132f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -17,6 +17,7 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(userspace_reboot_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -62,6 +63,7 @@
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
diff --git a/public/property_contexts b/public/property_contexts
index 7a2badd..ec4b615 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -266,6 +266,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 21a9222..5d2c4f9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -220,6 +220,8 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_prop
})
')