Fix vendor defining macros and neverallows
init and dumpstate should be able to access all properties, but they are
in coredomain, so neverallow rules for vendor properties should be
changed in order to avoid conflicts.
Bug: 145339613
Test: add vendor_internal_prop manually and build.
Change-Id: If582870f855e4444f8ac0d091696c0c7fd833791
diff --git a/public/property.te b/public/property.te
index 33e2ed4..8abd404 100644
--- a/public/property.te
+++ b/public/property.te
@@ -234,6 +234,7 @@
neverallow { domain -coredomain } {
system_property_type
+ system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
@@ -243,25 +244,20 @@
-system_public_property_type
}:property_service set;
-neverallow { domain -coredomain } {
- system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
vendor_property_type
+ vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
-neverallow coredomain {
+neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
-neverallow coredomain {
- vendor_internal_property_type
-}:file no_rw_file_perms;
-
')
# There is no need to perform ioctl or advisory locking operations on
diff --git a/public/te_macros b/public/te_macros
index 88e71d8..9672227 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -772,7 +772,7 @@
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -785,7 +785,7 @@
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -804,7 +804,7 @@
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -817,7 +817,7 @@
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -836,7 +836,8 @@
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
- neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
@@ -849,7 +850,8 @@
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
- neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
')
')