am f5f899c3: Merge from upstream sepolicy
* commit 'f5f899c3c0f684ffba6950b343e652abd78d0fd9':
Rework the radio vs rild property split. Only label properties with the ril. prefix with rild_prop. Allow rild and system (and radio) to set radio_prop. Only rild can set rild_prop presently.
Allow apps to write to anr_data_file for /data/anr/traces.txt.
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
Allow adbd to access the qemu device and label /dev/eac correctly.
Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton.
Rewrite MLS constraints to only constrain open for app_data_file, not read/write.
Introduce a separate wallpaper_file type for the wallpaper file.
Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.
Allow the shell to create files on the sdcard.
Drop redundant rules.
Policy changes to support running the latest CTS.
Limit per-device policy files to a well-defined sepolicy prefix.
Add support for per-device .te and .fc files.
diff --git a/Android.mk b/Android.mk
index 64197f1..ee1a931 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,6 +11,12 @@
MLS_SENS=1
MLS_CATS=1024
+LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/
+
+LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
+
##################################
include $(CLEAR_VARS)
@@ -25,7 +31,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts))
+$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users ocontexts))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
@@ -38,13 +44,18 @@
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts
-LOCAL_SRC_FILES := $(LOCAL_MODULE)
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-include $(BUILD_PREBUILT)
+include $(BUILD_SYSTEM)/base_rules.mk
+file_contexts := $(intermediates)/file_contexts
+$(file_contexts): $(LOCAL_PATH)/file_contexts $(LOCAL_POLICY_FC)
+ @mkdir -p $(dir $@)
+ $(hide) cat $^ > $@
+
+file_contexts :=
##################################
include $(CLEAR_VARS)
@@ -57,5 +68,21 @@
include $(BUILD_PREBUILT)
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+ @mkdir -p $(dir $@)
+ $(hide) cat $^ > $@
+
+property_contexts :=
+##################################
endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/access_vectors b/access_vectors
index 90927e7..4b0c4b1 100644
--- a/access_vectors
+++ b/access_vectors
@@ -880,3 +880,8 @@
specifyinvokewith
specifyseinfo
}
+
+class property_service
+{
+ set
+}
diff --git a/adbd.te b/adbd.te
index 4d1e655..d3f9905 100644
--- a/adbd.te
+++ b/adbd.te
@@ -2,6 +2,7 @@
# it lives in the rootfs and has no unique file type.
type adbd, domain, mlstrustedsubject;
allow adbd adb_device:chr_file rw_file_perms;
+allow adbd qemu_device:chr_file rw_file_perms;
allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
allow adbd rootfs:file entrypoint;
allow adbd init:process sigchld;
@@ -23,9 +24,10 @@
# Talk to init via the property socket.
unix_socket_connect(adbd, property, init)
-# Read properties.
-allow adbd kernel:fd use;
-allow adbd tmpfs:file read;
+# Run sh in its own domain.
+domain_auto_trans(adbd, shell_exec, shell)
+# Do not sanitize the environment of the shell.
+allow adbd shell:process noatsecure;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
diff --git a/app.te b/app.te
index 976b6bc..7e06c10 100644
--- a/app.te
+++ b/app.te
@@ -28,11 +28,7 @@
allow trusted_app sdcard:dir create_dir_perms;
allow trusted_app sdcard:file create_file_perms;
# Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
-allow trusted_app apk_data_file:file write;
-# Perform binder IPC to any app domain.
-binder_call(trusted_app, appdomain)
-binder_transfer(trusted_app, appdomain)
+allow trusted_app apk_tmp_file:file rw_file_perms;
#
# An example of a specific domain for a specific app
@@ -100,11 +96,18 @@
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { read write };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
binder_call(appdomain, binderservicedomain)
binder_transfer(appdomain, binderservicedomain)
-# Perform binder IPC to apps in the trusted_app domain.
-binder_call(appdomain, trusted_app)
-binder_transfer(appdomain, trusted_app)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+binder_transfer(appdomain, appdomain)
diff --git a/attributes b/attributes
index f2ea0c5..1016ec6 100644
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@
# All types used for network ports.
attribute port_type;
+# All types used for property service
+attribute property_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/debuggerd.te b/debuggerd.te
index f808ea9..b85133b 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -12,3 +12,4 @@
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd domain:process { sigstop signal };
allow debuggerd exec_type:file r_file_perms;
+allow debuggerd log_device:chr_file r_file_perms;
diff --git a/domain.te b/domain.te
index 55c9ecd..2e9720e 100644
--- a/domain.te
+++ b/domain.te
@@ -3,6 +3,10 @@
# Allow reaping by init.
allow domain init:process sigchld;
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file read;
+
# binder adjusts the nice value during IPC.
allow domain self:capability sys_nice;
@@ -29,7 +33,7 @@
# Root fs.
allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
diff --git a/drmserver.te b/drmserver.te
index 5b46ea8..624ae13 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -8,3 +8,9 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+allow drmserver sdcard:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
diff --git a/file.te b/file.te
index 11c3ef6..b6e3a5d 100644
--- a/file.te
+++ b/file.te
@@ -8,6 +8,7 @@
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type;
type tmpfs, fs_type;
@@ -22,12 +23,15 @@
type system_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type;
+type anr_data_file, file_type, data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type;
# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
# /data/local - writable by shell
@@ -49,6 +53,8 @@
type cache_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type;
# Socket types
type bluetooth_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 92c6bb0..c610df3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -23,6 +23,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
/dev/full u:object_r:full_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/input(/.*) u:object_r:input_device:s0
@@ -101,10 +102,12 @@
# Data files
#
/data(/.*)? u:object_r:system_data_file:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local(/.*)? u:object_r:shell_data_file:s0
# Misc data
@@ -116,6 +119,8 @@
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
# App sandboxes
/data/data/.* u:object_r:app_data_file:s0
+# Wallpaper file.
+/data/data/com.android.settings/files/wallpaper u:object_r:wallpaper_file:s0
#############################
# efs files
#
@@ -128,3 +133,4 @@
# sysfs files
#
/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0
+/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
diff --git a/installd.te b/installd.te
index e4b0b18..466125e 100644
--- a/installd.te
+++ b/installd.te
@@ -12,6 +12,7 @@
allow installd data_file_type:dir { relabelfrom relabelto };
allow installd data_file_type:file { getattr unlink };
allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
dontaudit installd self:capability sys_admin;
diff --git a/mls b/mls
index 9bb4068..a4c214b 100644
--- a/mls
+++ b/mls
@@ -60,21 +60,37 @@
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be dominated by the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/nfc.te b/nfc.te
index b20d236..72c2d69 100644
--- a/nfc.te
+++ b/nfc.te
@@ -8,3 +8,5 @@
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+allow nfc sysfs_nfc_power_writable:file rw_file_perms;
diff --git a/property.te b/property.te
new file mode 100644
index 0000000..b62004e
--- /dev/null
+++ b/property.te
@@ -0,0 +1,9 @@
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
diff --git a/property_contexts b/property_contexts
new file mode 100644
index 0000000..dc87c9b
--- /dev/null
+++ b/property_contexts
@@ -0,0 +1,47 @@
+##########################
+# property service keys
+#
+#
+net.rmnet0 u:object_r:radio_prop:s0
+net.gprs u:object_r:radio_prop:s0
+net.ppp u:object_r:radio_prop:s0
+net.qmi u:object_r:radio_prop:s0
+net.lte u:object_r:radio_prop:s0
+net.cdma u:object_r:radio_prop:s0
+gsm. u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+net.dns u:object_r:radio_prop:s0
+sys.usb.config u:object_r:radio_prop:s0
+
+ril. u:object_r:rild_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+runtime. u:object_r:system_prop:s0
+hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+service. u:object_r:system_prop:s0
+wlan. u:object_r:system_prop:s0
+dhcp. u:object_r:system_prop:s0
+
+debug. u:object_r:shell_prop:s0
+log. u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.sys. u:object_r:system_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.security. u:object_r:system_prop:s0
+selinux. u:object_r:system_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+crypto. u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
diff --git a/radio.te b/radio.te
index 9094cce..a119d75 100644
--- a/radio.te
+++ b/radio.te
@@ -15,3 +15,9 @@
allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/rild.te b/rild.te
index 2857892..a0a4a37 100644
--- a/rild.te
+++ b/rild.te
@@ -4,6 +4,7 @@
init_daemon_domain(rild)
net_domain(rild)
+allow rild self:netlink_route_socket setopt;
allow rild kernel:system module_request;
unix_socket_connect(rild, property, init)
unix_socket_connect(rild, qemud, qemud)
@@ -19,3 +20,7 @@
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
+allow rild radio_prop:property_service set;
diff --git a/security_classes b/security_classes
index 38d78eb..197805e 100644
--- a/security_classes
+++ b/security_classes
@@ -134,4 +134,7 @@
class binder
class zygote
+# Property service
+class property_service # userspace
+
# FLASK
diff --git a/shell.te b/shell.te
index a66eaf4..b4fa7fd 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,5 @@
type shell, domain;
type shell_exec, file_type;
-domain_auto_trans(adbd, shell_exec, shell)
domain_auto_trans(init, shell_exec, shell)
allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms;
@@ -13,9 +12,9 @@
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
-# Read properties.
-allow shell kernel:fd use;
-allow shell tmpfs:file read;
+# Access sdcard.
+allow shell sdcard:dir rw_dir_perms;
+allow shell sdcard:file create_file_perms;
r_dir_file(shell, apk_data_file)
allow shell dalvikcache_data_file:file write;
@@ -32,3 +31,12 @@
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 80607da..bbefa14 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,3 +22,6 @@
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;
diff --git a/system.te b/system.te
index ef0d12e..6466e96 100644
--- a/system.te
+++ b/system.te
@@ -15,6 +15,9 @@
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
@@ -110,6 +113,7 @@
# XXX Label sysfs files with a specific type?
allow system sysfs:file rw_file_perms;
+allow system sysfs_nfc_power_writable:file rw_file_perms;
# Access devices.
allow system device:dir r_dir_perms;
@@ -130,6 +134,25 @@
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system system_data_file:file relabelfrom;
+allow system wallpaper_file:file relabelto;
+allow system wallpaper_file:file r_file_perms;
+
+# Property Service write
+allow system system_prop:property_service set;
+allow system radio_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
@@ -141,7 +164,7 @@
# Run system programs, e.g. dexopt.
allow system system_file:file x_file_perms;
-# Silently deny any /proc accesses that are not allowed.
-# This suppresses noise from walking the process list.
-dontaudit system domain:dir r_dir_perms;
-dontaudit system domain:file r_file_perms;
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system domain:dir r_dir_perms;
+allow system domain:file r_file_perms;
diff --git a/te_macros b/te_macros
index 75f294c..9146e22 100644
--- a/te_macros
+++ b/te_macros
@@ -97,9 +97,6 @@
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
-# Read properties.
-allow $1 kernel:fd use;
-allow $1 tmpfs:file read;
')
#####################################
diff --git a/ueventd.te b/ueventd.te
index 89dd9ee..5e51332 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -16,6 +16,3 @@
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket *;
-# Read properties.
-allow ueventd kernel:fd use;
-allow ueventd tmpfs:file read;
diff --git a/unconfined.te b/unconfined.te
index 71cdfdd..ff53595 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -21,3 +21,4 @@
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;
diff --git a/vold.te b/vold.te
index 85a58f9..403771f 100644
--- a/vold.te
+++ b/vold.te
@@ -54,3 +54,6 @@
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;
