commit 3ee4e77674ecce82dadfcf5c64d87ce6d65a88b0
author Jiyong Park <jiyong@google.com> Tue May 15 12:06:48 2018 +0900
committer Jiyong Park <jiyong@google.com> Tue May 15 14:22:26 2018 +0900
tree 7ee7fabf5ed9aba1f9efb056d065a56465dbf6d8
parent 9cafa9a1914322c31fd6bb8a672b0650b1a64add

Temporarily whitelisting system domains writing vendor props

system properties must not be used as a communication channel in between
system and vendor processes. However, there has been no enforcement on
this: system process could write system properties that are owned and
read by vendor processes and vice versa. Such communication should be
done over hwbinder and should be formally specified in HIDL.

Until we finish migrating the existing use cases of sysprops to HIDL,
whitelisting them in system_writes_vendor_properties_violators so that
the violators are clearly tracked.

These violators are allowed only for P, but not for Q.

Bug: 78598545
Test: m -j selinux_policy
Change-Id: I60b12f1232c77ad997c8c87e6d91baa14c626e94

sepolicy/private/ramoops.te

diff --git a/sepolicy/private/ramoops.te b/sepolicy/private/ramoops.te
index c7cea81..534fa65 100644
--- a/sepolicy/private/ramoops.te
+++ b/sepolicy/private/ramoops.te
@@ -11,6 +11,7 @@
 allow ramoops toolbox_exec:file rx_file_perms;
 
 # Set the sys.ramoops.decrypted property
+typeattribute ramoops system_writes_vendor_properties_violators;
 set_prop(ramoops, ramoops_prop);
 
 allow ramoops sysfs_pstore:file rw_file_perms;

sepolicy/vendor/bluetooth.te

diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te
index 6d70fab..a71c145 100644
--- a/sepolicy/vendor/bluetooth.te
+++ b/sepolicy/vendor/bluetooth.te
@@ -1,3 +1,4 @@
+typeattribute bluetooth system_writes_vendor_properties_violators;
 set_prop(bluetooth, vendor_bluetooth_prop)
 set_prop(bluetooth, wc_prop)
 

sepolicy/vendor/cameraserver.te

diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te
index d29d473..594f22a 100644
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -1,5 +1,6 @@
 allow cameraserver gpu_device:chr_file rw_file_perms;
 
+typeattribute cameraserver system_writes_vendor_properties_violators;
 set_prop(cameraserver, camera_prop)
 
 allow cameraserver sysfs_camera:file r_file_perms;

sepolicy/vendor/charger.te

diff --git a/sepolicy/vendor/charger.te b/sepolicy/vendor/charger.te
index 3f30f35..e847281 100644
--- a/sepolicy/vendor/charger.te
+++ b/sepolicy/vendor/charger.te
@@ -1 +1,2 @@
+typeattribute charger system_writes_vendor_properties_violators;
 set_prop(charger, public_vendor_system_prop)

sepolicy/vendor/gatekeeperd.te

diff --git a/sepolicy/vendor/gatekeeperd.te b/sepolicy/vendor/gatekeeperd.te
index 647ede2..e4bef11 100644
--- a/sepolicy/vendor/gatekeeperd.te
+++ b/sepolicy/vendor/gatekeeperd.te
@@ -1 +1,2 @@
+typeattribute gatekeeperd system_writes_vendor_properties_violators;
 set_prop(gatekeeperd, keymaster_prop)

sepolicy/vendor/healthd.te

diff --git a/sepolicy/vendor/healthd.te b/sepolicy/vendor/healthd.te
index 5032bba..6b22ced 100644
--- a/sepolicy/vendor/healthd.te
+++ b/sepolicy/vendor/healthd.te
@@ -1 +1,2 @@
+typeattribute healthd system_writes_vendor_properties_violators;
 set_prop(healthd, public_vendor_system_prop)

sepolicy/vendor/radio.te

diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index 0868a3d..b287bbb 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -1,4 +1,5 @@
 get_prop(radio, ims_prop)
+typeattribute radio system_writes_vendor_properties_violators;
 userdebug_or_eng(`set_prop(radio, tel_mon_prop)')
 
 allow radio qmuxd_socket:dir search;

sepolicy/vendor/surfaceflinger.te

diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 349151b..636d98b 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -3,4 +3,5 @@
 dontaudit surfaceflinger kernel:system module_request;
 allow surfaceflinger debugfs_ion:dir search;
 
+typeattribute surfaceflinger system_writes_vendor_properties_violators;
 set_prop(surfaceflinger, public_vendor_system_prop)

sepolicy/vendor/system_app.te

diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index ac4ef9b..c1ede12 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -3,6 +3,7 @@
 userdebug_or_eng(`set_prop(system_app, tel_mon_prop)')
 
 # Needed by Settings app's CameraHalHdrplusPreferenceController
+typeattribute system_app system_writes_vendor_properties_violators;
 set_prop(system_app, camera_prop)
 
 # read regulatory info

sepolicy/vendor/system_server.te

diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index 8e38725..bcba87c 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -23,6 +23,7 @@
 dontaudit system_server hal_audio_default:file write;
 dontaudit system_server appdomain:file write;
 
+typeattribute system_server system_writes_vendor_properties_violators;
 set_prop(system_server, public_vendor_system_prop)
 
 dontaudit system_server self:capability sys_module;