Add sepolicy for gsid properties, and allow system_server to read them. Bug: 123777418 Test: manual test Change-Id: I9f8c721dfd074e638573d85cf1d8045a69c3854e

commit: 8fe3c746548f06964823676c011016b493286272 [log] [tgz]
author: David Anderson <dvander@google.com> Thu Feb 07 13:14:20 2019 -0800
committer: David Anderson <dvander@google.com> Tue Feb 19 21:08:09 2019 +0000
tree: 55f54df5d6baa801110a021b95846ad0d4269fbb
parent: 52c1d81aa4c1e80be0ebeb19d764ad4698b3b05a [diff] [blame]
diff --git a/private/gsid.te b/private/gsid.te
index 0c2e50c..62ac06b 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -9,6 +9,7 @@
 binder_use(gsid)
 binder_service(gsid)
 add_service(gsid, gsi_service)
+set_prop(gsid, gsid_prop)
 
 # Needed to create/delete device-mapper nodes, and read/write to them.
 allow gsid dm_device:chr_file rw_file_perms;
@@ -33,6 +34,8 @@
 # gsi_tool passes the system image over the adb connection, via stdin.
 allow gsid adbd:fd use;
 
+neverallow { domain -gsid -init } gsid_prop:property_service set;
+
 # gsid needs to store images on /data, but cannot use file I/O. If it did, the
 # underlying blocks would be encrypted, and we couldn't mount the GSI image in
 # first-stage init. So instead of directly writing to /data, we:
commit	8fe3c746548f06964823676c011016b493286272	[log] [tgz]
author	David Anderson <dvander@google.com>	Thu Feb 07 13:14:20 2019 -0800
committer	David Anderson <dvander@google.com>	Tue Feb 19 21:08:09 2019 +0000
tree	55f54df5d6baa801110a021b95846ad0d4269fbb
parent	52c1d81aa4c1e80be0ebeb19d764ad4698b3b05a [diff] [blame]