Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e49714542ee846a7b14c8edb78303ec94cb4836e^! / . / private / property_contexts
commite49714542ee846a7b14c8edb78303ec94cb4836e[log] [tgz]
authorJaekyun Seok <jaekyun@google.com>Thu Oct 19 16:54:49 2017 +0900
committerJeffrey Vander Stoep <jeffv@google.com>Wed Jan 10 16:15:25 2018 +0000
treed215371716907651c154c87f323e25bc2c16ccb7
parentc80f9e037bedb09d08a261f255f87ea105fa371b [diff] [blame]
Whitelist exported platform properties

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

diff --git a/private/property_contexts b/private/property_contexts
index 1706224..de9fce1 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -9,7 +9,10 @@
 net.lte                 u:object_r:net_radio_prop:s0
 net.cdma                u:object_r:net_radio_prop:s0
 net.dns                 u:object_r:net_dns_prop:s0
-sys.usb.config          u:object_r:system_radio_prop:s0
+# TODO(b/36001741): Rename to sys.usb.config when exact match is supported and
+# so an exact-matching spec isn't considered as a duplicate of a
+# prefix-matching spec having the same property name.
+sys.usb.conf            u:object_r:system_radio_prop:s0
 ril.                    u:object_r:radio_prop:s0
 ro.ril.                 u:object_r:radio_prop:s0
 gsm.                    u:object_r:radio_prop:s0
@@ -45,6 +48,7 @@
 persist.bluetooth.      u:object_r:bluetooth_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
+ro.logd.                u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
 persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
 logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
@@ -86,6 +90,9 @@
 
 # ro.build.fingerprint is either set in /system/build.prop, or is
 # set at runtime by system_server.
+# TODO(b/36001741): Copy into exported_property_contexts when exact match is
+# supported and so an exact-matching spec isn't considered as a duplicate of a
+# prefix-matching spec having the same property name.
 ro.build.fingerprint    u:object_r:fingerprint_prop:s0
 
 ro.persistent_properties.ready  u:object_r:persistent_properties_ready_prop:s0
@@ -120,3 +127,10 @@
 
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
+
+# Common vendor default properties.
+init.svc.vendor.        u:object_r:vendor_default_prop:s0
+ro.hardware.            u:object_r:vendor_default_prop:s0
+ro.vendor.              u:object_r:vendor_default_prop:s0
+persist.vendor.         u:object_r:vendor_default_prop:s0
+vendor.                 u:object_r:vendor_default_prop:s0