property_service: get rid of hard coded property / control list
Don't force people to make modifications to property_service.c
when handling properties. Exclusively use the SELinux rules,
which are more flexible and easily adjusted.
Change-Id: Ic0bbd01b5df2eef0040286ac59c0a01e9bd14315
diff --git a/init/property_service.c b/init/property_service.c
index fb3bc8d..aaf6c1e 100644
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -55,64 +55,6 @@
static int property_set_fd = -1;
-/* White list of permissions for setting property services. */
-struct {
- const char *prefix;
- unsigned int uid;
- unsigned int gid;
-} property_perms[] = {
- { "net.rmnet0.", AID_RADIO, 0 },
- { "net.gprs.", AID_RADIO, 0 },
- { "net.ppp", AID_RADIO, 0 },
- { "net.qmi", AID_RADIO, 0 },
- { "net.lte", AID_RADIO, 0 },
- { "net.cdma", AID_RADIO, 0 },
- { "ril.", AID_RADIO, 0 },
- { "gsm.", AID_RADIO, 0 },
- { "persist.radio", AID_RADIO, 0 },
- { "net.dns", AID_RADIO, 0 },
- { "sys.usb.config", AID_RADIO, 0 },
- { "net.", AID_SYSTEM, 0 },
- { "dev.", AID_SYSTEM, 0 },
- { "runtime.", AID_SYSTEM, 0 },
- { "hw.", AID_SYSTEM, 0 },
- { "sys.", AID_SYSTEM, 0 },
- { "sys.powerctl", AID_SHELL, 0 },
- { "service.", AID_SYSTEM, 0 },
- { "wlan.", AID_SYSTEM, 0 },
- { "gps.", AID_GPS, 0 },
- { "bluetooth.", AID_BLUETOOTH, 0 },
- { "dhcp.", AID_SYSTEM, 0 },
- { "dhcp.", AID_DHCP, 0 },
- { "debug.", AID_SYSTEM, 0 },
- { "debug.", AID_SHELL, 0 },
- { "log.", AID_SHELL, 0 },
- { "service.adb.root", AID_SHELL, 0 },
- { "service.adb.tcp.port", AID_SHELL, 0 },
- { "persist.logd.size",AID_SYSTEM, 0 },
- { "persist.sys.", AID_SYSTEM, 0 },
- { "persist.service.", AID_SYSTEM, 0 },
- { "persist.security.", AID_SYSTEM, 0 },
- { "persist.gps.", AID_GPS, 0 },
- { "persist.service.bdroid.", AID_BLUETOOTH, 0 },
- { "selinux." , AID_SYSTEM, 0 },
- { NULL, 0, 0 }
-};
-
-/*
- * White list of UID that are allowed to start/stop services.
- * Currently there are no user apps that require.
- */
-struct {
- const char *service;
- unsigned int uid;
- unsigned int gid;
-} control_perms[] = {
- { "dumpstate",AID_SHELL, AID_LOG },
- { "ril-daemon",AID_RADIO, AID_RADIO },
- {NULL, 0, 0 }
-};
-
typedef struct {
size_t size;
int fd;
@@ -194,34 +136,10 @@
}
/*
- * Checks permissions for starting/stoping system services.
- * AID_SYSTEM and AID_ROOT are always allowed.
- *
- * Returns 1 if uid allowed, 0 otherwise.
- */
-static int check_control_perms(const char *name, unsigned int uid, unsigned int gid, char *sctx) {
-
- int i;
- if (uid == AID_SYSTEM || uid == AID_ROOT)
- return check_control_mac_perms(name, sctx);
-
- /* Search the ACL */
- for (i = 0; control_perms[i].service; i++) {
- if (strcmp(control_perms[i].service, name) == 0) {
- if ((uid && control_perms[i].uid == uid) ||
- (gid && control_perms[i].gid == gid)) {
- return check_control_mac_perms(name, sctx);
- }
- }
- }
- return 0;
-}
-
-/*
* Checks permissions for setting system properties.
* Returns 1 if uid allowed, 0 otherwise.
*/
-static int check_perms(const char *name, unsigned int uid, unsigned int gid, char *sctx)
+static int check_perms(const char *name, char *sctx)
{
int i;
unsigned int app_id;
@@ -229,26 +147,7 @@
if(!strncmp(name, "ro.", 3))
name +=3;
- if (uid == 0)
- return check_mac_perms(name, sctx);
-
- app_id = multiuser_get_app_id(uid);
- if (app_id == AID_BLUETOOTH) {
- uid = app_id;
- }
-
- for (i = 0; property_perms[i].prefix; i++) {
- if (strncmp(property_perms[i].prefix, name,
- strlen(property_perms[i].prefix)) == 0) {
- if ((uid && property_perms[i].uid == uid) ||
- (gid && property_perms[i].gid == gid)) {
-
- return check_mac_perms(name, sctx);
- }
- }
- }
-
- return 0;
+ return check_mac_perms(name, sctx);
}
int __property_get(const char *name, char *value)
@@ -406,14 +305,14 @@
// Keep the old close-socket-early behavior when handling
// ctl.* properties.
close(s);
- if (check_control_perms(msg.value, cr.uid, cr.gid, source_ctx)) {
+ if (check_control_mac_perms(msg.value, source_ctx)) {
handle_control_message((char*) msg.name + 4, (char*) msg.value);
} else {
ERROR("sys_prop: Unable to %s service ctl [%s] uid:%d gid:%d pid:%d\n",
msg.name + 4, msg.value, cr.uid, cr.gid, cr.pid);
}
} else {
- if (check_perms(msg.name, cr.uid, cr.gid, source_ctx)) {
+ if (check_perms(msg.name, source_ctx)) {
property_set((char*) msg.name, (char*) msg.value);
} else {
ERROR("sys_prop: permission denied uid:%d name:%s\n",
