Add entries for some properties in default_prop
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.
This adds some missing properties to property_contexts. Newly added
property contexts are:
- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.
- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.
- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.
Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.
Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
diff --git a/private/property.te b/private/property.te
index bf73c3d..67fc551 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,10 +15,13 @@
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
system_internal_prop(keystore2_enable_prop)
@@ -482,3 +485,15 @@
-system_server
-zygote
} keystore2_enable_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ -init
+} setupwizard_prop:property_service set;