commit c97a97cd3f82475c19f6ddb82c96523b706409b6
author Inseob Kim <inseob@google.com> Mon Jul 20 20:26:07 2020 +0900
committer Inseob Kim <inseob@google.com> Tue Jul 21 13:11:57 2020 +0900
tree 628381b6ebb4e7b7830af83af1a11ad3e4f09a43
parent c80b0242416a823d00564d299c48b5b6a01a31ad

Move more properties out of exported3_default_prop

This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9

private/app.te

diff --git a/private/app.te b/private/app.te
index 546b019..5b079c2 100644
--- a/private/app.te
+++ b/private/app.te
@@ -54,3 +54,6 @@
 
 # Allow to read graphics related properties.
 get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 54df5b9..2f0a252 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,6 +35,7 @@
     build_odm_prop
     build_prop
     build_vendor_prop
+    camera_calibration_prop
     camera_config_prop
     cgroup_bpf
     charger_config_prop
@@ -232,6 +233,7 @@
     wait_for_keymaster_exec
     wait_for_keymaster_tmpfs
     watchdogd_tmpfs
+    wifi_config_prop
     wifi_hal_prop
     wm_trace_data_file
     wpantund

private/compat/30.0/30.0.cil

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 8673b62..b7c080a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1359,6 +1359,7 @@
 (typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
 (typeattributeset exported3_default_prop_30_0
   ( exported3_default_prop
+    camera_calibration_prop
     camera_config_prop
     charger_config_prop
     drm_service_config_prop
@@ -1375,6 +1376,7 @@
     telephony_config_prop
     tombstone_config_prop
     vts_status_prop
+    wifi_config_prop
     zram_config_prop))
 (typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
 (typeattributeset exported3_system_prop_30_0

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 7fe1532..edb2245 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,6 +4,7 @@
 get_prop(coredomain, dalvik_runtime_prop)
 get_prop(coredomain, exported_pm_prop)
 get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
 get_prop(coredomain, hdmi_config_prop)
 get_prop(coredomain, init_service_status_private_prop)
 get_prop(coredomain, lmkd_config_prop)

private/gpuservice.te

diff --git a/private/gpuservice.te b/private/gpuservice.te
index c467383..2e4254c 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,5 +64,3 @@
 
 # Only uncomment below line when in development
 # userdebug_or_eng(`permissive gpuservice;')
-
-get_prop(gpuservice, graphics_config_prop)

private/property.te

diff --git a/private/property.te b/private/property.te
index f7ca660..8812173 100644
--- a/private/property.te
+++ b/private/property.te
@@ -444,3 +444,10 @@
   -dumpstate
   -appdomain
 } sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+  -init
+  -vendor_init
+  -dumpstate
+  -appdomain
+} camera_calibration_prop:file no_rw_file_perms;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 71967a2..90041e0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -266,6 +266,8 @@
 ro.audio.ignore_effects  u:object_r:audio_config_prop:s0 exact bool
 ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
 
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
 config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
 
 camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
@@ -360,8 +362,6 @@
 persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
 persist.bluetooth.btsnoopenable                u:object_r:exported_bluetooth_prop:s0 exact bool
 
-persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
-
 persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
 
 persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
@@ -384,7 +384,6 @@
 ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
 
 ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-ro.boot.wificountrycode      u:object_r:exported3_default_prop:s0 exact string
 
 ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
 
@@ -449,8 +448,6 @@
 
 ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
 
-ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
-
 ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
 
 ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
@@ -761,6 +758,8 @@
 wifi.interface            u:object_r:wifi_hal_prop:s0 exact string
 wlan.driver.status        u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
 
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
+
 ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
 
 # Property to enable incremental feature
@@ -859,6 +858,8 @@
 ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
 
 # Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
 ro.gfx.driver.0        u:object_r:graphics_config_prop:s0 exact string
 ro.gfx.driver.1        u:object_r:graphics_config_prop:s0 exact string
 ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 9758b36..baba299 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -141,9 +141,6 @@
 
 userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
 
-# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
-
 # Allow to issue control commands to profcollectd binder service.
 userdebug_or_eng(`
   allow shell profcollectd:binder call;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 81988fd..fc4ba0d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -886,9 +886,6 @@
 # Set persist.adb.tls_server.enable property
 set_prop(system_server, system_adbd_prop)
 
-# Read ro.gfx.* properties
-get_prop(system_server, graphics_config_prop)
-
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
@@ -992,6 +989,8 @@
 # on low memory kills.
 get_prop(system_server, system_lmk_prop)
 
+get_prop(system_server, wifi_config_prop)
+
 ###
 ### Neverallow rules
 ###
@@ -1196,3 +1195,10 @@
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
 
 neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+  -init
+  -vendor_init
+  -dumpstate
+  -system_server
+} wifi_config_prop:file no_rw_file_perms;