Merge "Use prefixes for binder cache SELinux properties."

private/compat/29.0/29.0.ignore.cil

@@ -22,6 +22,7 @@
     blob_store_service
     binder_cache_bluetooth_server_prop
     binder_cache_system_server_prop
+    binder_cache_telephony_server_prop
     binderfs
     binderfs_logs
     binderfs_logs_proc

private/radio.te

@@ -15,3 +15,8 @@ allow radio uce_service:service_manager find;
 # Manage /data/misc/emergencynumberdb
 allow radio emergency_data_file:dir r_dir_perms;
 allow radio emergency_data_file:file r_file_perms;
+
+# allow telephony to access related cache properties
+set_prop(radio, binder_cache_telephony_server_prop);
+neverallow { domain -radio -init }
+    binder_cache_telephony_server_prop:property_service set;

public/domain.te

@@ -112,6 +112,7 @@ get_prop(domain, vndk_prop)
 # Binder cache properties are world-readable
 get_prop(domain, binder_cache_bluetooth_server_prop)
 get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
 
 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.

public/property.te

@@ -66,6 +66,7 @@ compatible_property_only(`
 # Properties used by binder caches
 system_restricted_prop(binder_cache_bluetooth_server_prop)
 system_restricted_prop(binder_cache_system_server_prop)
+system_restricted_prop(binder_cache_telephony_server_prop)
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(module_sdkextensions_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)

public/property_contexts

@@ -450,10 +450,6 @@ ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 ex
 # Binder cache properties.  These are world-readable
 cache_key.app_inactive                   u:object_r:binder_cache_system_server_prop:s0
 cache_key.is_compat_change_enabled       u:object_r:binder_cache_system_server_prop:s0
-cache_key.bluetooth.get_bond_state       u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_profile_connection_state     u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_state            u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
 cache_key.get_packages_for_uid           u:object_r:binder_cache_system_server_prop:s0
 cache_key.has_system_feature             u:object_r:binder_cache_system_server_prop:s0
 cache_key.is_interactive                 u:object_r:binder_cache_system_server_prop:s0
@@ -463,3 +459,7 @@ cache_key.volume_list                    u:object_r:binder_cache_system_server_p
 cache_key.display_info                   u:object_r:binder_cache_system_server_prop:s0
 cache_key.location_enabled               u:object_r:binder_cache_system_server_prop:s0
 cache_key.package_info                   u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth.                     u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server.                 u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony.                     u:object_r:binder_cache_telephony_server_prop:s0 prefix string