Merge "Support fine grain read access control for properties" am: 6fa6bdb6ee am: c28d909159
am: 67100b5f6e
* commit '67100b5f6ebb3595a6f9114ebc0704ca0fd4384f':
Support fine grain read access control for properties
diff --git a/device.te b/device.te
index b1b4582..6457017 100644
--- a/device.te
+++ b/device.te
@@ -54,6 +54,7 @@
type usb_device, dev_type, mlstrustedobject;
type klog_device, dev_type;
type properties_device, dev_type;
+type properties_serial, dev_type;
type i2c_device, dev_type;
# All devices have a uart for the hci
diff --git a/domain.te b/domain.te
index 19ca544..3aec211 100644
--- a/domain.te
+++ b/domain.te
@@ -76,7 +76,14 @@
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
allow domain init:key search;
allow domain vold:key search;
diff --git a/file.te b/file.te
index efd42b4..7d8a0ba 100644
--- a/file.te
+++ b/file.te
@@ -193,6 +193,9 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# property_contexts file
+type property_contexts, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index 80cf545..5d60822 100644
--- a/file_contexts
+++ b/file_contexts
@@ -34,7 +34,7 @@
# SELinux policy files
/file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts u:object_r:rootfs:s0
+/property_contexts u:object_r:property_contexts:s0
/seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
/service_contexts u:object_r:rootfs:s0
diff --git a/init.te b/init.te
index e6c7825..d07c5a7 100644
--- a/init.te
+++ b/init.te
@@ -14,8 +14,9 @@
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
# setrlimit
allow init self:capability sys_resource;
diff --git a/property.te b/property.te
index 07b5091..9e97b60 100644
--- a/property.te
+++ b/property.te
@@ -30,3 +30,5 @@
type nfc_prop, property_type;
type dalvik_prop, property_type;
type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
diff --git a/te_macros b/te_macros
index 1936ffb..37b33a9 100644
--- a/te_macros
+++ b/te_macros
@@ -153,6 +153,15 @@
')
#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
+#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.