commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/property.te

diff --git a/private/property.te b/private/property.te
index ae471d0..c5f62a7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -74,6 +74,44 @@
 system_restricted_prop(persist_sysui_builder_extras_prop)
 system_restricted_prop(persist_sysui_ranking_update_prop)
 
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+typeattribute audio_prop         core_property_type;
+typeattribute config_prop        core_property_type;
+typeattribute cppreopt_prop      core_property_type;
+typeattribute dalvik_prop        core_property_type;
+typeattribute debuggerd_prop     core_property_type;
+typeattribute debug_prop         core_property_type;
+typeattribute dhcp_prop          core_property_type;
+typeattribute dumpstate_prop     core_property_type;
+typeattribute logd_prop          core_property_type;
+typeattribute net_radio_prop     core_property_type;
+typeattribute nfc_prop           core_property_type;
+typeattribute ota_prop           core_property_type;
+typeattribute pan_result_prop    core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop      core_property_type;
+typeattribute radio_prop         core_property_type;
+typeattribute restorecon_prop    core_property_type;
+typeattribute shell_prop         core_property_type;
+typeattribute system_prop        core_property_type;
+typeattribute usb_prop           core_property_type;
+typeattribute vold_prop          core_property_type;
+
+typeattribute dalvik_config_prop         dalvik_config_prop_type;
+typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
+
 ###
 ### Neverallow rules
 ###
@@ -767,4 +805,3 @@
   -init
   -vendor_init
 } pm_archiving_enabled_prop:property_service set;
-