Merge "Disallow untrusted apps to read ro.debuggable and ro.secure"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f716367..0d6d42c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -255,3 +255,15 @@
 
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties
+# We exclude older application for compatibility and we do not include in the exclusions other normally
+# untrusted applications such as mediaprovider due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+  untrusted_app_all
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+} { userdebug_or_eng_prop }:file read;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index d71298a..4b296c9 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1455,6 +1455,7 @@
 (typeattributeset build_config_prop_33_0 (build_config_prop))
 (typeattributeset build_odm_prop_33_0 (build_odm_prop))
 (typeattributeset build_prop_33_0 (build_prop))
+(typeattributeset build_prop_33_0 (userdebug_or_eng_prop))
 (typeattributeset build_vendor_prop_33_0 (build_vendor_prop))
 (typeattributeset cache_backup_file_33_0 (cache_backup_file))
 (typeattributeset cache_block_device_33_0 (cache_block_device))
diff --git a/private/property_contexts b/private/property_contexts
index 2149091..7ded7cc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -852,7 +852,7 @@
 
 ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
 
-ro.debuggable       u:object_r:build_prop:s0 exact bool
+ro.debuggable       u:object_r:userdebug_or_eng_prop:s0 exact bool
 ro.force.debuggable u:object_r:build_prop:s0 exact bool
 
 ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -880,7 +880,7 @@
 ro.system.build.version.sdk                 u:object_r:build_prop:s0 exact int
 
 ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure     u:object_r:build_prop:s0 exact int
+ro.secure     u:object_r:userdebug_or_eng_prop:s0 exact int
 
 ro.product.system_ext.brand        u:object_r:build_prop:s0 exact string
 ro.product.system_ext.device       u:object_r:build_prop:s0 exact string
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4235d7e..51cb514 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,3 +52,7 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+
+
+# Allow hidden build props
+get_prop(untrusted_app_25, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index c747af1..0dde760 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,6 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_27, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 6bb2606..0360184 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,3 +18,6 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_29, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index e0a71ef..6893aca 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,3 +20,6 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
+# Allow hidden build props
+get_prop(untrusted_app_30, userdebug_or_eng_prop)
diff --git a/public/domain.te b/public/domain.te
index 6ef4566..11a14c5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -130,6 +130,7 @@
 get_prop(domain, socket_hook_prop)
 get_prop(domain, surfaceflinger_prop)
 get_prop(domain, telephony_status_prop)
+get_prop({domain - untrusted_app_all },  userdebug_or_eng_prop)
 get_prop(domain, vendor_socket_hook_prop)
 get_prop(domain, vndk_prop)
 get_prop(domain, vold_status_prop)
@@ -577,6 +578,7 @@
 
 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
 
 # Do not allow reading device's serial number from system properties except form
 # a few allowed domains.
diff --git a/public/property.te b/public/property.te
index 5812a90..b6c365d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -72,6 +72,7 @@
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
 system_restricted_prop(hypervisor_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)