Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 4067843..b784fd8 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -13,6 +13,7 @@
hal_can_bus_hwservice
hal_can_controller_hwservice
init_svc_debug_prop
+ linker_prop
ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
diff --git a/private/domain.te b/private/domain.te
index 81a4550..ee0ef6e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -42,6 +42,9 @@
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
+# Allow to read properties for linker
+get_prop(domain, linker_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/property_contexts b/private/property_contexts
index d1a97d9..55445ec 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 02b01f5..8a933a5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -74,3 +74,8 @@
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
+
+# Allow shell to set linker property
+userdebug_or_eng(`
+ set_prop(shell, linker_prop)
+')
diff --git a/public/property.te b/public/property.te
index 9dc204c..4f4adec 100644
--- a/public/property.te
+++ b/public/property.te
@@ -58,6 +58,7 @@
type init_svc_debug_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
+type linker_prop, property_type;
type llkd_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
@@ -192,6 +193,13 @@
ctl_rildaemon_prop
}:property_service set;
+# Do now allow to modify linker properties except shell and init
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-shell')
+} linker_prop:property_service set;
+
neverallow {
domain
-init
@@ -451,6 +459,7 @@
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
+ -linker_prop
-log_prop
-log_tag_prop
-logd_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index da3651d..f458d77 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -218,6 +218,7 @@
-gsid_prop
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
+ -linker_prop
})
')