Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
diff --git a/Android.mk b/Android.mk
index c210dcb..0ebc49c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -15,6 +15,7 @@
LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
##################################
include $(CLEAR_VARS)
@@ -67,5 +68,21 @@
include $(BUILD_PREBUILT)
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+ @mkdir -p $(dir $@)
+ $(hide) cat $^ > $@
+
+property_contexts :=
+##################################
endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/access_vectors b/access_vectors
index 90927e7..4b0c4b1 100644
--- a/access_vectors
+++ b/access_vectors
@@ -880,3 +880,8 @@
specifyinvokewith
specifyseinfo
}
+
+class property_service
+{
+ set
+}
diff --git a/attributes b/attributes
index f2ea0c5..1016ec6 100644
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@
# All types used for network ports.
attribute port_type;
+# All types used for property service
+attribute property_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/property.te b/property.te
new file mode 100644
index 0000000..b62004e
--- /dev/null
+++ b/property.te
@@ -0,0 +1,9 @@
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
diff --git a/property_contexts b/property_contexts
new file mode 100644
index 0000000..320179c
--- /dev/null
+++ b/property_contexts
@@ -0,0 +1,51 @@
+##########################
+# property service keys
+#
+#
+net.rmnet0 u:object_r:radio_prop:s0
+net.gprs u:object_r:radio_prop:s0
+net.ppp u:object_r:radio_prop:s0
+net.qmi u:object_r:radio_prop:s0
+net.lte u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+net.dns u:object_r:radio_prop:s0
+sys.usb.config u:object_r:radio_prop:s0
+gsm.current.phone-type u:object_r:radio_prop:s0
+gsm.sim. u:object_r:radio_prop:s0
+gsm.operator. u:object_r:radio_prop:s0
+gsm.version.baseband u:object_r:radio_prop:s0
+
+ril. u:object_r:rild_prop:s0
+gsm. u:object_r:rild_prop:s0
+net.cdma u:object_r:rild_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+runtime. u:object_r:system_prop:s0
+hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+service. u:object_r:system_prop:s0
+wlan. u:object_r:system_prop:s0
+dhcp. u:object_r:system_prop:s0
+
+debug. u:object_r:shell_prop:s0
+log. u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.sys. u:object_r:system_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.security. u:object_r:system_prop:s0
+selinux. u:object_r:system_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+crypto. u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
diff --git a/radio.te b/radio.te
index 9094cce..a119d75 100644
--- a/radio.te
+++ b/radio.te
@@ -15,3 +15,9 @@
allow radio radio_data_file:notdevfile_class_set create_file_perms;
allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/rild.te b/rild.te
index 5993af4..684bc1d 100644
--- a/rild.te
+++ b/rild.te
@@ -20,3 +20,6 @@
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
diff --git a/security_classes b/security_classes
index 38d78eb..197805e 100644
--- a/security_classes
+++ b/security_classes
@@ -134,4 +134,7 @@
class binder
class zygote
+# Property service
+class property_service # userspace
+
# FLASK
diff --git a/shell.te b/shell.te
index 0c67c46..b4fa7fd 100644
--- a/shell.te
+++ b/shell.te
@@ -31,3 +31,12 @@
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 80607da..bbefa14 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,3 +22,6 @@
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;
diff --git a/system.te b/system.te
index 5fa9a91..58e4f47 100644
--- a/system.te
+++ b/system.te
@@ -146,6 +146,12 @@
allow system wallpaper_file:file relabelto;
allow system wallpaper_file:file r_file_perms;
+# Property Service write
+allow system system_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 71cdfdd..ff53595 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -21,3 +21,4 @@
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;
diff --git a/vold.te b/vold.te
index 85a58f9..403771f 100644
--- a/vold.te
+++ b/vold.te
@@ -54,3 +54,6 @@
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;