SELinux changes for the hasSystemFeature() binder cache property. The binder_cache_system_server_prop context allows any user to read the property but only the system_server to write it. The only property with this context is currently binder.cache_key.has_system_feature but users will be added. Bug: 140788621 Test: this was tested on an image with a binder cache implementation. No permission issues were found. The implementation is not part of the current commit. Change-Id: I4c7c3ddf809ed947944408ffbbfc469d761a6043

commit: bafd0c762a0322a32d28d3c118a7b637d801ffcb [log] [tgz]
author: Lee Shombert <shombert@google.com> Fri Jan 10 17:23:45 2020 -0800
committer: Lee Shombert <shombert@google.com> Mon Jan 13 10:21:54 2020 -0800
tree: 6698cf411beebad88217c2dcd433f33401cb7353
parent: 65d6fd48c85cbe167ed128dc906c9b92c233c7b4 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index c1342d8..ec79319 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1090,3 +1090,8 @@
   -system_server
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+    binder_cache_system_server_prop:property_service set;
commit	bafd0c762a0322a32d28d3c118a7b637d801ffcb	[log] [tgz]
author	Lee Shombert <shombert@google.com>	Fri Jan 10 17:23:45 2020 -0800
committer	Lee Shombert <shombert@google.com>	Mon Jan 13 10:21:54 2020 -0800
tree	6698cf411beebad88217c2dcd433f33401cb7353
parent	65d6fd48c85cbe167ed128dc906c9b92c233c7b4 [diff] [blame]