PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "sepolicy: allow rules for apk verify system property"

Browse Source
This commit is contained in:
Treehugger Robot 2019-12-05 16:08:37 +00:00 committed by Gerrit Code Review
commit 4c8a849f25
6 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
private/compat/29.0/29.0.cil
View File

@ -1143,7 +1143,7 @@
(typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
(typeattributeset default_android_service_29_0 (default_android_service))
(typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
(typeattributeset default_prop_29_0 (default_prop))
(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
(typeattributeset device_29_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))

3
private/installd.te
View File

@ -37,6 +37,9 @@ allow installd rollback_data_file:file create_file_perms;
get_prop(installd, device_config_runtime_native_prop)
get_prop(installd, device_config_runtime_native_boot_prop)
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };

3
private/system_server.te
View File

@ -639,6 +639,9 @@ get_prop(system_server, gsid_prop)
# Read the property that mocks an OTA
get_prop(system_server, mock_ota_prop)
# Read the property as feature flag for protecting apks with fs-verity.
get_prop(system_server, apk_verity_prop)
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;

1
public/property.te
View File

@ -98,6 +98,7 @@ compatible_property_only(`
# Properties with no restrictions
system_public_prop(audio_prop)
system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)

1
public/property_contexts
View File

@ -98,6 +98,7 @@ pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string

1
public/vendor_init.te
View File

@ -229,6 +229,7 @@ not_compatible_property(`
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
set_prop(vendor_init, cpu_variant_prop)