Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
diff --git a/device.te b/device.te
index b1b4582..6457017 100644
--- a/device.te
+++ b/device.te
@@ -54,6 +54,7 @@
type usb_device, dev_type, mlstrustedobject;
type klog_device, dev_type;
type properties_device, dev_type;
+type properties_serial, dev_type;
type i2c_device, dev_type;
# All devices have a uart for the hci
diff --git a/domain.te b/domain.te
index 2d11bf7..02b884f 100644
--- a/domain.te
+++ b/domain.te
@@ -76,7 +76,14 @@
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
allow domain init:key search;
allow domain vold:key search;
diff --git a/file.te b/file.te
index 1d444dd..9251741 100644
--- a/file.te
+++ b/file.te
@@ -192,6 +192,9 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# property_contexts file
+type property_contexts, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index a74f8f8..152dfb4 100644
--- a/file_contexts
+++ b/file_contexts
@@ -34,7 +34,7 @@
# SELinux policy files
/file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts u:object_r:rootfs:s0
+/property_contexts u:object_r:property_contexts:s0
/seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
/service_contexts u:object_r:rootfs:s0
diff --git a/init.te b/init.te
index e6c7825..d07c5a7 100644
--- a/init.te
+++ b/init.te
@@ -14,8 +14,9 @@
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
# setrlimit
allow init self:capability sys_resource;
diff --git a/property.te b/property.te
index 07b5091..9e97b60 100644
--- a/property.te
+++ b/property.te
@@ -30,3 +30,5 @@
type nfc_prop, property_type;
type dalvik_prop, property_type;
type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
diff --git a/te_macros b/te_macros
index 1936ffb..37b33a9 100644
--- a/te_macros
+++ b/te_macros
@@ -153,6 +153,15 @@
')
#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
+#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.