microdroid: Remove default_prop access This adds properties necessary to run microdroid to property_contexts, and then removes default_prop access to all domains except for init, as init should be able to write all properties. Bug: 194447534 Test: atest MicrodroidHostTestCases ComposHostTestCases Change-Id: I2f80c71ce257613b3c3b019a3e988a5a0653d879

commit: e17b985e1c065d18407c1c8e890a789c2d500bc9 [log] [tgz]
author: Inseob Kim <inseob@google.com> Tue Sep 14 11:30:18 2021 +0900
committer: Inseob Kim <inseob@google.com> Wed Sep 15 05:26:03 2021 +0000
tree: 6ec550aee3f15efe974ce74f17a08b336c5d6002
parent: 855f16dd871dbb112cfa886c8fa5a318a3cc4be5 [diff]
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ac5ad6c..fd9fa47 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te

@@ -222,11 +222,12 @@
 # TODO(b/199007910): remove these
 set_prop(domain, {
     property_type
+    -default_prop
     -vmsecret_keymint_prop
     -microdroid_manager_roothash_prop
 })
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
+#auditallow { domain -default_prop -init } property_type:property_service set;
+#auditallow { domain -default_prop -init } property_type:file rw_file_perms;
 
 allow domain linkerconfig_file:dir search;
 allow domain linkerconfig_file:file r_file_perms;

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7460fb4..3c6d248 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts

@@ -34,7 +34,11 @@
 
 ro.logd.kernel u:object_r:logd_prop:s0 exact bool
 
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
 ro.boottime.adbd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm                  u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity               u:object_r:boottime_prop:s0 exact int
 ro.boottime.authfs_service            u:object_r:boottime_prop:s0 exact int
 ro.boottime.hwservicemanager          u:object_r:boottime_prop:s0 exact int
 ro.boottime.init                      u:object_r:boottime_prop:s0 exact int
@@ -58,33 +62,51 @@
 
 hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
 
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+apexd.status      u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
 
 ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
 
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.controller     u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
 
-init.svc.authfs_service            u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager          u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2                 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd                      u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit               u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager        u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager            u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd                   u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse                   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apexd-vm           u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service     u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2          u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd               u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager     u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd            u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse            u:object_r:init_service_status_private_prop:s0 exact string
 
 init.svc.adbd       u:object_r:init_service_status_prop:s0 exact string
 init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
 
 init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
 
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband      u:object_r:bootloader_prop:s0 exact string
-ro.bootloader    u:object_r:bootloader_prop:s0 exact string
-ro.bootmode      u:object_r:bootloader_prop:s0 exact string
-ro.hardware      u:object_r:bootloader_prop:s0 exact string
-ro.revision      u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
+ro.boot.avb_version                u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices               u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
+ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version         u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state        u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest              u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg            u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size                u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate          u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode                 u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband   u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode   u:object_r:bootloader_prop:s0 exact string
+ro.hardware   u:object_r:bootloader_prop:s0 exact string
+ro.revision   u:object_r:bootloader_prop:s0 exact string
 
 ro.build.id                     u:object_r:build_prop:s0 exact string
 ro.build.version.release        u:object_r:build_prop:s0 exact string
@@ -95,12 +117,22 @@
 
 ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
 
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
 apex_config.done u:object_r:apex_config_prop:s0 exact bool
 
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root   u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed  u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid  u:object_r:adbd_prop:s0 exact string

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 577353a..7e77df2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te

@@ -1,3 +1,4 @@
+type adbd_prop, property_type;
 type apexd_prop, property_type;
 type bootloader_prop, property_type;
 type boottime_prop, property_type;
@@ -19,13 +20,15 @@
 type ctl_zipfuse_prop, property_type;
 type debug_prop, property_type;
 type default_prop, property_type;
-type exported_default_prop, property_type;
+type dev_mnt_prop, property_type;
 type fingerprint_prop, property_type;
+type gsid_prop, property_type;
 type hwservicemanager_prop, property_type;
 type init_perf_lsm_hooks_prop, property_type;
 type init_service_status_private_prop, property_type;
 type init_service_status_prop, property_type;
 type init_svc_debug_prop, property_type;
+type keystore_crash_prop, property_type;
 type keystore_listen_prop, property_type;
 type logd_prop, property_type;
 type property_service_version_prop, property_type;
@@ -38,7 +41,9 @@
 
 allow property_type tmpfs:filesystem associate;
 
-#----------------------------------------
-type adbd_config_prop, property_type;
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
 
-type module_sdkextensions_prop, property_type;
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
commit	e17b985e1c065d18407c1c8e890a789c2d500bc9	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Tue Sep 14 11:30:18 2021 +0900
committer	Inseob Kim <inseob@google.com>	Wed Sep 15 05:26:03 2021 +0000
tree	6ec550aee3f15efe974ce74f17a08b336c5d6002
parent	855f16dd871dbb112cfa886c8fa5a318a3cc4be5 [diff]