Drop back-compatibility for hiding ro.debuggable and ro.secure
Ignore-AOSP-First: cherry-pick for tm-qpr-dev
Bug: 193912100
Bug: 265874811
Test: N/A for cherry-pick
Change-Id: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
Merged-In: I47f2ddc4fa87bf6c8f872d2679348b2eecddcaad
diff --git a/prebuilts/api/33.0/private/app_neverallows.te b/prebuilts/api/33.0/private/app_neverallows.te
index 9115952..304f5a2 100644
--- a/prebuilts/api/33.0/private/app_neverallows.te
+++ b/prebuilts/api/33.0/private/app_neverallows.te
@@ -254,15 +254,3 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
-
-# Do not allow untrusted app to read hidden system proprerties
-# We exclude older application for compatibility and we do not include in the exclusions other normally
-# untrusted applications such as mediaprovider due to the specific logging use cases.
-# Context: b/193912100
-neverallow {
- untrusted_app_all
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
- -untrusted_app_30
-} { userdebug_or_eng_prop }:file read;
diff --git a/prebuilts/api/33.0/private/untrusted_app_25.te b/prebuilts/api/33.0/private/untrusted_app_25.te
index 4235d7e..b40fad0 100644
--- a/prebuilts/api/33.0/private/untrusted_app_25.te
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@@ -52,3 +52,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_27.te b/prebuilts/api/33.0/private/untrusted_app_27.te
index c747af1..dd9b4a8 100644
--- a/prebuilts/api/33.0/private/untrusted_app_27.te
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@@ -40,3 +40,6 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_29.te b/prebuilts/api/33.0/private/untrusted_app_29.te
index 0360184..0cc2bea 100644
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@@ -20,4 +20,4 @@
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
-get_prop(untrusted_app_29, userdebug_or_eng_prop)
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_30.te b/prebuilts/api/33.0/private/untrusted_app_30.te
index 6893aca..7b23be7 100644
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@@ -22,4 +22,4 @@
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
-get_prop(untrusted_app_30, userdebug_or_eng_prop)
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9115952..304f5a2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -254,15 +254,3 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
-
-# Do not allow untrusted app to read hidden system proprerties
-# We exclude older application for compatibility and we do not include in the exclusions other normally
-# untrusted applications such as mediaprovider due to the specific logging use cases.
-# Context: b/193912100
-neverallow {
- untrusted_app_all
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
- -untrusted_app_30
-} { userdebug_or_eng_prop }:file read;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 51cb514..b40fad0 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -53,6 +53,5 @@
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-
# Allow hidden build props
-get_prop(untrusted_app_25, userdebug_or_eng_prop)
+get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0dde760..dd9b4a8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -42,4 +42,4 @@
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
-get_prop(untrusted_app_27, userdebug_or_eng_prop)
+get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 0360184..0cc2bea 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -20,4 +20,4 @@
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
-get_prop(untrusted_app_29, userdebug_or_eng_prop)
+get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 6893aca..7b23be7 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -22,4 +22,4 @@
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Allow hidden build props
-get_prop(untrusted_app_30, userdebug_or_eng_prop)
+get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)