Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / fc688b3a7fac4ba1625bb58e42259c55eaf780ad^! / . / private
commitfc688b3a7fac4ba1625bb58e42259c55eaf780ad[log] [tgz]
authorInseob Kim <inseob@google.com>Tue May 19 22:02:58 2020 +0900
committerInseob Kim <inseob@google.com>Wed May 20 07:55:13 2020 +0000
tree84a276e91d500f0b3cda9af396d2f679214f3a83
parent5f1fe1eaac93de40ef7800b008aca963d15ddfbf [diff]
Refine build.prop related properties

1) build_odm_prop and build_vendor_prop are added

These contexts will contain world-readable properties from
/odm/build.prop and /vendor/build.prop, respectively.

2) move more properties to build_prop

Following properties are set by /system/build.prop and now assigned as
build_prop:

- ro.adb.secure
- ro.build.type
- ro.product.cpu.abi
- ro.product.cpu.abilist
- ro.product.cpu.abilist32
- ro.product.cpu.abilist64
- ro.secure

Following properties are set by init/property_service.cpp and now
assigned as build_prop:

- ro.product.brand
- ro.product.device
- ro.product.manufacturer
- ro.product.model
- ro.product.name

Bug: 71814576
Bug: 155844385
Test: boot device and see no denials
Change-Id: Idd4f81de4d2d0fc4bdec2d7ecb08bb8e078dab58

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 2dd0265..4692f1f 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil

@@ -31,7 +31,9 @@
     bluetooth_a2dp_offload_prop
     bpfloader
     bpfloader_exec
+    build_odm_prop
     build_prop
+    build_vendor_prop
     camera_config_prop
     cgroup_bpf
     charger_exec

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 481cbe3..70d3cee 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil

@@ -1373,6 +1373,8 @@
 (typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop))
 (typeattributeset exported_default_prop_30_0
   ( exported_default_prop
+    build_odm_prop
+    build_vendor_prop
     surfaceflinger_prop))
 (typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
 (typeattributeset exported_ffs_prop_30_0

diff --git a/private/property_contexts b/private/property_contexts
index 3f15983..1a6e726 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -560,8 +560,6 @@
 persist.sys.timezone     u:object_r:exported_system_prop:s0 exact string
 persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
 
-ro.adb.secure u:object_r:exported_secure_prop:s0 exact bool
-
 ro.arch u:object_r:exported2_default_prop:s0 exact string
 
 ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
@@ -596,6 +594,7 @@
 ro.build.product                     u:object_r:build_prop:s0 exact string
 ro.build.system_root_image           u:object_r:build_prop:s0 exact bool
 ro.build.tags                        u:object_r:build_prop:s0 exact string
+ro.build.type                        u:object_r:build_prop:s0 exact string
 ro.build.user                        u:object_r:build_prop:s0 exact string
 ro.build.version.base_os             u:object_r:build_prop:s0 exact string
 ro.build.version.codename            u:object_r:build_prop:s0 exact string
@@ -608,25 +607,61 @@
 
 ro.debuggable u:object_r:build_prop:s0 exact bool
 
+ro.product.cpu.abi       u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist   u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+
+ro.adb.secure u:object_r:build_prop:s0 exact bool
+ro.secure     u:object_r:build_prop:s0 exact int
+
+# These 5 properties are set by property_service
+ro.product.brand         u:object_r:build_prop:s0 exact string
+ro.product.device        u:object_r:build_prop:s0 exact string
+ro.product.manufacturer  u:object_r:build_prop:s0 exact string
+ro.product.model         u:object_r:build_prop:s0 exact string
+ro.product.name          u:object_r:build_prop:s0 exact string
+
+# All odm build props are set by /odm/build.prop
+ro.odm.build.date                u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.date.utc            u:object_r:build_odm_prop:s0 exact int
+ro.odm.build.fingerprint         u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+
+ro.product.odm.brand        u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.device       u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.model        u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.name         u:object_r:build_odm_prop:s0 exact string
+
+# All vendor build props are set by /vendor/build.prop
+ro.vendor.build.date                u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc            u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint         u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+
+ro.product.board               u:object_r:build_vendor_prop:s0 exact string
+ro.product.first_api_level     u:object_r:build_vendor_prop:s0 exact int
+ro.product.vendor.brand        u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.device       u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.model        u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.name         u:object_r:build_vendor_prop:s0 exact string
+
+# These are also set by /vendor/build.prop
+ro.bootimage.build.date        u:object_r:build_vendor_prop:s0 exact string
+ro.bootimage.build.date.utc    u:object_r:build_vendor_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+
 ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
 ro.crypto.type  u:object_r:vold_status_prop:s0 exact enum block file none
 
 ro.hardware u:object_r:exported2_default_prop:s0 exact string
 
-ro.product.brand        u:object_r:exported2_default_prop:s0 exact string
-ro.product.cpu.abi      u:object_r:exported2_default_prop:s0 exact string
-ro.product.cpu.abilist  u:object_r:exported2_default_prop:s0 exact string
-ro.product.device       u:object_r:exported2_default_prop:s0 exact string
-ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
-ro.product.model        u:object_r:exported2_default_prop:s0 exact string
-ro.product.name         u:object_r:exported2_default_prop:s0 exact string
-
 ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
 
 ro.revision u:object_r:exported2_default_prop:s0 exact string
 
-ro.secure u:object_r:exported_secure_prop:s0 exact int
-
 ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
 
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
@@ -663,10 +698,6 @@
 ro.boot.product.vendor.sku   u:object_r:exported_default_prop:s0 exact string
 ro.boot.slot_suffix          u:object_r:exported_default_prop:s0 exact string
 
-ro.bootimage.build.date        u:object_r:exported_default_prop:s0 exact string
-ro.bootimage.build.date.utc    u:object_r:exported_default_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-
 ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
 
 ro.build.ab_update         u:object_r:exported_default_prop:s0 exact string
@@ -728,36 +759,12 @@
 ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
 ro.kernel.ebpf.supported   u:object_r:exported_default_prop:s0 exact bool
 
-ro.odm.build.date                u:object_r:exported_default_prop:s0 exact string
-ro.odm.build.date.utc            u:object_r:exported_default_prop:s0 exact int
-ro.odm.build.fingerprint         u:object_r:exported_default_prop:s0 exact string
-ro.odm.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-
 ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
 
-ro.product.board               u:object_r:exported_default_prop:s0 exact string
-ro.product.cpu.abilist32       u:object_r:exported_default_prop:s0 exact string
-ro.product.cpu.abilist64       u:object_r:exported_default_prop:s0 exact string
-ro.product.first_api_level     u:object_r:exported_default_prop:s0 exact int
-ro.product.odm.brand           u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.device          u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.manufacturer    u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.model           u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.name            u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.brand        u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.device       u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.model        u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.name         u:object_r:exported_default_prop:s0 exact string
-ro.product.vndk.version        u:object_r:vndk_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
 
 ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
 
-ro.vendor.build.date                u:object_r:exported_default_prop:s0 exact string
-ro.vendor.build.date.utc            u:object_r:exported_default_prop:s0 exact int
-ro.vendor.build.fingerprint         u:object_r:exported_default_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-
 ro.vndk.lite    u:object_r:vndk_prop:s0 exact bool
 ro.vndk.version u:object_r:vndk_prop:s0 exact string
 
@@ -786,8 +793,6 @@
 
 ro.bootmode u:object_r:exported2_default_prop:s0 exact string
 
-ro.build.type u:object_r:exported2_default_prop:s0 exact string
-
 sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
 
 # surfaceflinger properties