Google Git
Sign in
android / platform / system / sepolicy / 1cf4d77af891f128c65559c742ec264197368bad^! / .
commit1cf4d77af891f128c65559c742ec264197368bad[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Sun Nov 27 01:11:39 2022 +0000
committerNikita Ioffe <ioffe@google.com>Mon Nov 28 13:43:42 2022 +0000
treea8d6077d775e7bb4661cefe122a68b4ace476bed
parentcbb11911487862a45afdb5306beb85bf136e79ba [diff]
Add sepolicy for microdroid_config_prop sysprops

Bug: 260361248
Bug: 260005615
Test: m
Change-Id: I50f7c0040ce6d315a3dc910c4f0b412d244a7449

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8765f75..4c19cfe 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -82,6 +82,9 @@
 # Allow microdroid_manager to pass the roothash to apkdmverity
 set_prop(microdroid_manager, microdroid_manager_roothash_prop)
 
+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)
 

diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index a02a7f2..733bb33 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te

@@ -39,3 +39,16 @@
   domain
   -init
 } apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:property_service set;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:file no_rw_file_perms;

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8d3c01..ad8a064 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts

@@ -121,6 +121,9 @@
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
 microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
 
+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+microdroid_manager.config_done u:object_r:microdroid_config_prop:s0 exact bool
+
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.dev.root   u:object_r:dev_mnt_prop:s0 exact string

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 5008bc7..fdb8cc5 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te

@@ -40,6 +40,7 @@
 type log_tag_prop, property_type;
 type microdroid_manager_roothash_prop, property_type;
 type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
 type property_service_version_prop, property_type;
 type shell_prop, property_type;
 type timezone_prop, property_type;