Limit processes that can change settings sysprops
Limit processes that can change global settings system properties.
Only system server and shell (for tests) should be able to set the
affected system properties.
Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
diff --git a/private/shell.te b/private/shell.te
index c20e612..1db132d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -91,6 +91,10 @@
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
+# Allow shell to set some global settings system properties for tests.
+set_prop(shell, locale_prop)
+set_prop(shell, timezone_prop)
+
# Allow shell to set and read value of properties used for CTS tests of
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index dbb5507..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -58,9 +58,7 @@
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
-set_prop(surfaceflinger, locale_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
-set_prop(surfaceflinger, timezone_prop)
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 61d3b5d..822fbb5 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -44,10 +44,8 @@
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, gesture_prop)
-set_prop(system_app, locale_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
-set_prop(system_app, timezone_prop)
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
diff --git a/public/property.te b/public/property.te
index a9e61b5..8cc488a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
+system_restricted_prop(locale_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(persist_wm_debug_prop)
@@ -92,6 +93,7 @@
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(timezone_prop)
system_restricted_prop(ab_update_gki_prop)
system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -212,7 +214,6 @@
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
-system_public_prop(locale_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
@@ -231,7 +232,6 @@
system_public_prop(system_prop)
system_public_prop(system_user_mode_emulation_prop)
system_public_prop(telephony_status_prop)
-system_public_prop(timezone_prop)
system_public_prop(usb_control_prop)
system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)