Assign a label to the ro.boottime.* properties

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a number of new properties of the form: [ro.boottime.init]: [5294587604] [ro.boottime.InputEventFind]: [10278767840] [ro.boottime.adbd]: [8359267180] ... These properties were assigned the default_prop SELinux label because a better label did not exist. Properties labeled with the default_prop label are readable to any SELinux domain, which is overly broad. bullhead:/ $ getprop -Z ro.boottime.adbd u:object_r:default_prop:s0 Instead, create a new label for the ro.boottime.* properties so we can apply more fine grain read access control to these properties. bullhead:/ $ getprop -Z ro.boottime.adbd u:object_r:boottime_prop:s0 New SELinux property labels have minimal permissions by default. As a result, after this change, ro.boottime.* properties will only be readable to system_server, bootstat, init (because it manages the property space), and "adb root" (because no SELinux permissions are enforced there). Additional read access can be granted as-needed. This is part of a larger effort to implement fine-grain access control on the properties managed by init. Test: Device boots and no SELinux denials on boot. Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d
2016-12-13 19:50:36 -08:00 · 2016-12-13 19:50:36 -08:00 · bb9a388840
commit bb9a388840
parent d57dd813a2
4 changed files with 8 additions and 0 deletions
--- a/private/property_contexts
+++ b/private/property_contexts
@ -58,6 +58,7 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
+ro.boottime.             u:object_r:boottime_prop:s0

 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
--- a/public/bootstat.te
+++ b/public/bootstat.te
@ -8,3 +8,6 @@ allow bootstat bootstat_data_file:file create_file_perms;

 # Read access to pseudo filesystems (for /proc/uptime).
 r_dir_file(bootstat, proc)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
--- a/public/property.te
+++ b/public/property.te
@ -1,4 +1,5 @@
 type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
 type bluetooth_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
--- a/public/system_server.te
+++ b/public/system_server.te
@ -384,6 +384,9 @@ set_prop(system_server, ctl_bugreport_prop)
 # cppreopt property
 set_prop(system_server, cppreopt_prop)

+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
 # Create a socket for receiving info from wpa.
 allow system_server wpa_socket:dir rw_dir_perms;
 allow system_server system_wpa_socket:sock_file create_file_perms;