commit f74fa29aed7c673f23321ccf93c87de5cb9c333d
author Yifan Hong <elsk@google.com> Tue Jul 14 19:15:13 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jul 14 19:15:13 2020 +0000
tree 0882e7a53e696cfc481809ea6ad7a0a4f24ba5a2
parent 792219e48d03c95bd7b8dffc30bb347d7003d0dd
parent 85aba14765b66ee85b7215b41848e99e3b0a0af7

Merge "Correct labels on files / props in vendor_dlkm."

private/bug_map

diff --git a/private/bug_map b/private/bug_map
index eaa1593..c2670ef 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,5 +1,6 @@
 dnsmasq netd fifo_file b/77868789
 dnsmasq netd unix_stream_socket b/77868789
+gmscore_app ashmem_device chr_file b/160984921
 gmscore_app system_data_file dir b/146166941
 init app_data_file file b/77873135
 init cache_file blk_file b/77873135

private/charger.te

diff --git a/private/charger.te b/private/charger.te
index 719ae3c..693fd3a 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -5,5 +5,25 @@
 set_prop(charger, system_prop)
 set_prop(charger, exported_system_prop)
 set_prop(charger, exported3_system_prop)
+set_prop(charger, charger_status_prop)
 
 get_prop(charger, charger_prop)
+get_prop(charger, charger_config_prop)
+
+# get minui properties
+get_prop(charger, recovery_config_prop)
+
+compatible_property_only(`
+    neverallow {
+        -init
+        -dumpstate
+        -charger
+    } charger_prop:file no_rw_file_perms;
+')
+
+neverallow {
+    -init
+    -dumpstate
+    -vendor_init
+    -charger
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a42538f..92ff8d7 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,7 +37,9 @@
     build_vendor_prop
     camera_config_prop
     cgroup_bpf
+    charger_config_prop
     charger_exec
+    charger_status_prop
     color_display_service
     content_capture_service
     crossprofileapps_service
@@ -185,6 +187,7 @@
     test_boot_reason_prop
     time_prop
     timedetector_service
+    tombstone_config_prop
     tombstone_wifi_data_file
     trace_data_file
     traced

private/compat/30.0/30.0.cil

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c99cecd..b54644f 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1359,6 +1359,7 @@
 (typeattributeset exported3_default_prop_30_0
   ( exported3_default_prop
     camera_config_prop
+    charger_config_prop
     drm_service_config_prop
     hdmi_config_prop
     keyguard_config_prop
@@ -1368,6 +1369,7 @@
     packagemanager_config_prop
     recovery_config_prop
     telephony_config_prop
+    tombstone_config_prop
     zram_config_prop))
 (typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
 (typeattributeset exported3_system_prop_30_0
@@ -1396,7 +1398,7 @@
 (typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
 (typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
 (typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
 (typeattributeset exported_system_radio_prop_30_0
   ( exported_system_radio_prop
     usb_config_prop

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 92efa47..6062bc0 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -7,6 +7,7 @@
 get_prop(coredomain, hdmi_config_prop)
 get_prop(coredomain, init_service_status_private_prop)
 get_prop(coredomain, lmkd_config_prop)
+get_prop(coredomain, localization_prop)
 get_prop(coredomain, pm_prop)
 get_prop(coredomain, surfaceflinger_color_prop)
 get_prop(coredomain, systemsound_config_prop)

private/property.te

diff --git a/private/property.te b/private/property.te
index 6f984ec..db43ae3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -10,6 +10,7 @@
 system_internal_prop(init_service_status_private_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(last_boot_reason_prop)
+system_internal_prop(localization_prop)
 system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(pm_prop)
 system_internal_prop(system_adbd_prop)
@@ -417,3 +418,9 @@
   -coredomain
   -vendor_init
 } keyguard_config_prop:file no_rw_file_perms;
+
+neverallow {
+  -init
+} {
+  localization_prop
+}:property_service set;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 09fb2cb..7fe47ef 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -228,7 +228,9 @@
 ro.cold_boot_done       u:object_r:cold_boot_done_prop:s0
 
 # Charger properties
-ro.charger.             u:object_r:charger_prop:s0
+ro.charger.                 u:object_r:charger_prop:s0
+sys.boot_from_charger_mode  u:object_r:charger_status_prop:s0 exact int
+ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
 
 # Virtual A/B properties
 ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0
@@ -417,8 +419,6 @@
 external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
 
-ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
-
 ro.lmk.critical                 u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.critical_upgrade         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.debug                    u:object_r:lmkd_config_prop:s0 exact bool
@@ -485,7 +485,7 @@
 sys.usb.ffs.ready     u:object_r:ffs_control_prop:s0 exact bool
 sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
 
-tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
 
 vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
 
@@ -652,7 +652,6 @@
 
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
 
-sys.boot_from_charger_mode            u:object_r:exported_system_prop:s0 exact int
 sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
 sys.use_memfd                         u:object_r:use_memfd_prop:s0 exact bool
 
@@ -851,6 +850,9 @@
 persist.dbg.vt_avail_ovr          u:object_r:telephony_config_prop:s0 exact int
 persist.dbg.wfc_avail_ovr         u:object_r:telephony_config_prop:s0 exact int
 
+# System locale list filter configuration
+ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
+
 # Graphics related properties
 ro.gfx.driver.0        u:object_r:graphics_config_prop:s0 exact string
 ro.gfx.driver.1        u:object_r:graphics_config_prop:s0 exact string

private/tombstoned.te

diff --git a/private/tombstoned.te b/private/tombstoned.te
index 305f9d0..ca9a0aa 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,12 @@
 typeattribute tombstoned coredomain;
 
 init_daemon_domain(tombstoned)
+
+get_prop(tombstoned, tombstone_config_prop)
+
+neverallow {
+    -init
+    -vendor_init
+    -dumpstate
+    -tombstoned
+} tombstone_config_prop:file no_rw_file_perms;

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index a020a57..ceb1a27 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -36,8 +36,10 @@
 not_full_treble(`allow netd vendor_file:file x_file_perms;')
 allow netd devpts:chr_file rw_file_perms;
 
-# Acquire advisory lock on /system/etc/xtables.lock
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
 allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
 
 # Allow netd to write to qtaguid ctrl file.
 # TODO: Add proper rules to prevent other process to access qtaguid_proc file

public/property.te

diff --git a/public/property.te b/public/property.te
index 4d002a6..f4572c7 100644
--- a/public/property.te
+++ b/public/property.te
@@ -61,6 +61,7 @@
 system_restricted_prop(boot_status_prop)
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(charger_status_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)
@@ -108,6 +109,7 @@
 system_vendor_config_prop(build_odm_prop)
 system_vendor_config_prop(build_vendor_prop)
 system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(charger_config_prop)
 system_vendor_config_prop(cpu_variant_prop)
 system_vendor_config_prop(dalvik_config_prop)
 system_vendor_config_prop(drm_service_config_prop)
@@ -130,6 +132,7 @@
 system_vendor_config_prop(surfaceflinger_prop)
 system_vendor_config_prop(systemsound_config_prop)
 system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(tombstone_config_prop)
 system_vendor_config_prop(usb_config_prop)
 system_vendor_config_prop(userspace_reboot_config_prop)
 system_vendor_config_prop(vehicle_hal_prop)