Add sepolicy for sdkext module prop
Add a domain for derive_sdk which is allowed to set persist.com.android.sdkext.sdk_info, readable by all apps (but should only be read by the BCP). Bug: 137191822 Test: run derive_sdk, getprop persist.com.android.sdkext.sdk_info Change-Id: I389116f45faad11fa5baa8d617dda30fb9acec7a
This commit is contained in:
parent
fe55f30397
commit
e822545909
@ -1 +1,2 @@
|
|||||||
(/.*)? u:object_r:system_file:s0
|
(/.*)? u:object_r:system_file:s0
|
||||||
|
/bin/derive_sdk u:object_r:derive_sdk_exec:s0
|
||||||
|
@ -32,6 +32,7 @@
|
|||||||
mediatranscoding_tmpfs
|
mediatranscoding_tmpfs
|
||||||
linker_prop
|
linker_prop
|
||||||
mock_ota_prop
|
mock_ota_prop
|
||||||
|
module_sdkext_prop
|
||||||
ota_metadata_file
|
ota_metadata_file
|
||||||
ota_prop
|
ota_prop
|
||||||
art_apex_dir
|
art_apex_dir
|
||||||
|
12
private/derive_sdk.te
Normal file
12
private/derive_sdk.te
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
|
||||||
|
# Domain for derive_sdk
|
||||||
|
type derive_sdk, domain, coredomain;
|
||||||
|
type derive_sdk_exec, system_file_type, exec_type, file_type;
|
||||||
|
init_daemon_domain(derive_sdk)
|
||||||
|
|
||||||
|
# Read /apex
|
||||||
|
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
||||||
|
|
||||||
|
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
||||||
|
set_prop(derive_sdk, module_sdkext_prop)
|
||||||
|
neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
|
@ -45,6 +45,9 @@ get_prop(domain, use_memfd_prop);
|
|||||||
# Allow to read properties for linker
|
# Allow to read properties for linker
|
||||||
get_prop(domain, linker_prop);
|
get_prop(domain, linker_prop);
|
||||||
|
|
||||||
|
# Read access to sdkext props
|
||||||
|
get_prop(domain, module_sdkext_prop)
|
||||||
|
|
||||||
# For now, everyone can access core property files
|
# For now, everyone can access core property files
|
||||||
# Device specific properties are not granted by default
|
# Device specific properties are not granted by default
|
||||||
not_compatible_property(`
|
not_compatible_property(`
|
||||||
|
@ -224,3 +224,7 @@ ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
|
|||||||
|
|
||||||
# Property to set/clear the warm reset flag after an OTA update.
|
# Property to set/clear the warm reset flag after an OTA update.
|
||||||
ota.warm_reset u:object_r:ota_prop:s0
|
ota.warm_reset u:object_r:ota_prop:s0
|
||||||
|
|
||||||
|
# Module properties
|
||||||
|
com.android.sdkext. u:object_r:module_sdkext_prop:s0
|
||||||
|
persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
|
||||||
|
@ -60,6 +60,7 @@ compatible_property_only(`
|
|||||||
|
|
||||||
# Properties which can't be written outside system
|
# Properties which can't be written outside system
|
||||||
system_restricted_prop(linker_prop)
|
system_restricted_prop(linker_prop)
|
||||||
|
system_restricted_prop(module_sdkext_prop)
|
||||||
system_restricted_prop(nnapi_ext_deny_product_prop)
|
system_restricted_prop(nnapi_ext_deny_product_prop)
|
||||||
system_restricted_prop(restorecon_prop)
|
system_restricted_prop(restorecon_prop)
|
||||||
system_restricted_prop(system_boot_reason_prop)
|
system_restricted_prop(system_boot_reason_prop)
|
||||||
@ -613,6 +614,7 @@ compatible_property_only(`
|
|||||||
-heapprofd_prop
|
-heapprofd_prop
|
||||||
-hwservicemanager_prop
|
-hwservicemanager_prop
|
||||||
-last_boot_reason_prop
|
-last_boot_reason_prop
|
||||||
|
-module_sdkext_prop
|
||||||
-system_lmk_prop
|
-system_lmk_prop
|
||||||
-linker_prop
|
-linker_prop
|
||||||
-log_prop
|
-log_prop
|
||||||
|
@ -221,6 +221,7 @@ not_compatible_property(`
|
|||||||
-nnapi_ext_deny_product_prop
|
-nnapi_ext_deny_product_prop
|
||||||
-init_svc_debug_prop
|
-init_svc_debug_prop
|
||||||
-linker_prop
|
-linker_prop
|
||||||
|
-module_sdkext_prop
|
||||||
-userspace_reboot_exported_prop
|
-userspace_reboot_exported_prop
|
||||||
-userspace_reboot_prop
|
-userspace_reboot_prop
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user