Relabel various exported3_default_prop
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.
- ro.config.per_app_memcg
This becomes lmkd_config_prop.
- ro.zygote
This becomes dalvik_config_prop.
- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.
- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.
- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.
There are still 3 more exported3_default_prop, which are going to be
tracked individually.
Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
diff --git a/private/app.te b/private/app.te
index a42b60e..546b019 100644
--- a/private/app.te
+++ b/private/app.te
@@ -49,5 +49,8 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index c80c4dc..54df5b9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -139,6 +139,7 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
+ oem_unlock_prop
overlayfs_file
packagemanager_config_prop
perfetto
@@ -157,6 +158,7 @@
secure_element_device
secure_element_service
secure_element_tmpfs
+ sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -177,6 +179,7 @@
surfaceflinger_color_prop
surfaceflinger_prop
staging_data_file
+ storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c2babb8..8673b62 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1367,8 +1367,11 @@
lmkd_config_prop
media_config_prop
mediadrm_config_prop
+ oem_unlock_prop
packagemanager_config_prop
recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
telephony_config_prop
tombstone_config_prop
vts_status_prop
diff --git a/private/coredomain.te b/private/coredomain.te
index d8ee85f..7fe1532 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -9,6 +9,7 @@
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
+get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
diff --git a/private/property.te b/private/property.te
index 06fae0a..f7ca660 100644
--- a/private/property.te
+++ b/private/property.te
@@ -425,3 +425,22 @@
} {
localization_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 29ae888..71967a2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -344,6 +344,7 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -398,8 +399,6 @@
ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-
ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
@@ -421,6 +420,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
@@ -447,13 +447,13 @@
ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -465,9 +465,7 @@
zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-ro.zygote u:object_r:exported3_default_prop:s0 exact string
-
-sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
diff --git a/private/system_app.te b/private/system_app.te
index e160ff4..c2dc2d1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -153,6 +153,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
###
### Neverallow rules
###