aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJaekyun Seok2018-04-08 22:07:32 -0500
committerJaekyun Seok2018-04-12 19:25:06 -0500
commit224921d18a8aa83123adfbdef8e9c352795e2b6b (patch)
tree8638303dbbde063b4ac9d2a98775064820a1d83b
parent362f7d6bda118fd11a19dc8fb523a9ac6ef82f3d (diff)
downloadsystem-sepolicy-224921d18a8aa83123adfbdef8e9c352795e2b6b.tar.gz
system-sepolicy-224921d18a8aa83123adfbdef8e9c352795e2b6b.tar.xz
system-sepolicy-224921d18a8aa83123adfbdef8e9c352795e2b6b.zip
Whitelist vendor-init-settable bluetooth_prop and wifi_prop
Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
-rw-r--r--private/audioserver.te2
-rw-r--r--private/bluetooth.te2
-rw-r--r--private/compat/26.0/26.0.ignore.cil3
-rw-r--r--private/compat/27.0/27.0.ignore.cil3
-rw-r--r--private/priv_app.te1
-rw-r--r--private/system_app.te2
-rw-r--r--private/webview_zygote.te6
-rw-r--r--private/zygote.te6
-rw-r--r--public/app.te2
-rw-r--r--public/hal_audio.te2
-rw-r--r--public/hal_bluetooth.te2
-rw-r--r--public/hal_wifi.te1
-rw-r--r--public/property.te3
-rw-r--r--public/property_contexts5
-rw-r--r--public/vendor_init.te3
-rw-r--r--public/wificond.te1
16 files changed, 41 insertions, 3 deletions
diff --git a/private/audioserver.te b/private/audioserver.te
index 471fcbed..a82cfecb 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -37,7 +37,9 @@ allow audioserver power_service:service_manager find;
37allow audioserver scheduling_policy_service:service_manager find; 37allow audioserver scheduling_policy_service:service_manager find;
38 38
39# Allow read/write access to bluetooth-specific properties 39# Allow read/write access to bluetooth-specific properties
40set_prop(audioserver, bluetooth_a2dp_offload_prop)
40set_prop(audioserver, bluetooth_prop) 41set_prop(audioserver, bluetooth_prop)
42set_prop(audioserver, exported_bluetooth_prop)
41 43
42# Grant access to audio files to audioserver 44# Grant access to audio files to audioserver
43allow audioserver audio_data_file:dir ra_dir_perms; 45allow audioserver audio_data_file:dir ra_dir_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index fec94941..d4198553 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -39,7 +39,9 @@ allow bluetooth uhid_device:chr_file rw_file_perms;
39allow bluetooth proc_bluetooth_writable:file rw_file_perms; 39allow bluetooth proc_bluetooth_writable:file rw_file_perms;
40 40
41# Allow write access to bluetooth specific properties 41# Allow write access to bluetooth specific properties
42set_prop(bluetooth, bluetooth_a2dp_offload_prop)
42set_prop(bluetooth, bluetooth_prop) 43set_prop(bluetooth, bluetooth_prop)
44set_prop(bluetooth, exported_bluetooth_prop)
43set_prop(bluetooth, pan_result_prop) 45set_prop(bluetooth, pan_result_prop)
44 46
45allow bluetooth audioserver_service:service_manager find; 47allow bluetooth audioserver_service:service_manager find;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3e227347..ab58ddaa 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -11,6 +11,7 @@
11 blank_screen 11 blank_screen
12 blank_screen_exec 12 blank_screen_exec
13 blank_screen_tmpfs 13 blank_screen_tmpfs
14 bluetooth_a2dp_offload_prop
14 bpfloader 15 bpfloader
15 bpfloader_exec 16 bpfloader_exec
16 broadcastradio_service 17 broadcastradio_service
@@ -18,6 +19,7 @@
18 crossprofileapps_service 19 crossprofileapps_service
19 e2fs 20 e2fs
20 e2fs_exec 21 e2fs_exec
22 exported_bluetooth_prop
21 exported_config_prop 23 exported_config_prop
22 exported_dalvik_prop 24 exported_dalvik_prop
23 exported_default_prop 25 exported_default_prop
@@ -31,6 +33,7 @@
31 exported_system_prop 33 exported_system_prop
32 exported_system_radio_prop 34 exported_system_radio_prop
33 exported_vold_prop 35 exported_vold_prop
36 exported_wifi_prop
34 exported2_config_prop 37 exported2_config_prop
35 exported2_default_prop 38 exported2_default_prop
36 exported2_radio_prop 39 exported2_radio_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index efc0166f..493ac312 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -10,6 +10,7 @@
10 blank_screen_exec 10 blank_screen_exec
11 blank_screen_tmpfs 11 blank_screen_tmpfs
12 bootloader_boot_reason_prop 12 bootloader_boot_reason_prop
13 bluetooth_a2dp_offload_prop
13 bpfloader 14 bpfloader
14 bpfloader_exec 15 bpfloader_exec
15 cgroup_bpf 16 cgroup_bpf
@@ -22,6 +23,7 @@
22 exported3_default_prop 23 exported3_default_prop
23 exported3_radio_prop 24 exported3_radio_prop
24 exported3_system_prop 25 exported3_system_prop
26 exported_bluetooth_prop
25 exported_config_prop 27 exported_config_prop
26 exported_dalvik_prop 28 exported_dalvik_prop
27 exported_default_prop 29 exported_default_prop
@@ -35,6 +37,7 @@
35 exported_system_prop 37 exported_system_prop
36 exported_system_radio_prop 38 exported_system_radio_prop
37 exported_vold_prop 39 exported_vold_prop
40 exported_wifi_prop
38 fingerprint_vendor_data_file 41 fingerprint_vendor_data_file
39 fs_bpf 42 fs_bpf
40 hal_authsecret_hwservice 43 hal_authsecret_hwservice
diff --git a/private/priv_app.te b/private/priv_app.te
index 0841c41f..99397a5b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -149,6 +149,7 @@ dontaudit priv_app proc_version:file read;
149dontaudit priv_app sysfs:dir read; 149dontaudit priv_app sysfs:dir read;
150dontaudit priv_app sysfs_android_usb:file read; 150dontaudit priv_app sysfs_android_usb:file read;
151dontaudit priv_app wifi_prop:file read; 151dontaudit priv_app wifi_prop:file read;
152dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
152 153
153# allow privileged apps to use UDP sockets provided by the system server but not 154# allow privileged apps to use UDP sockets provided by the system server but not
154# modify them other than to connect 155# modify them other than to connect
diff --git a/private/system_app.te b/private/system_app.te
index b2f83764..eb7e0505 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -31,9 +31,11 @@ allow system_app wallpaper_file:file r_file_perms;
31allow system_app icon_file:file r_file_perms; 31allow system_app icon_file:file r_file_perms;
32 32
33# Write to properties 33# Write to properties
34set_prop(system_app, bluetooth_a2dp_offload_prop)
34set_prop(system_app, bluetooth_prop) 35set_prop(system_app, bluetooth_prop)
35set_prop(system_app, debug_prop) 36set_prop(system_app, debug_prop)
36set_prop(system_app, system_prop) 37set_prop(system_app, system_prop)
38set_prop(system_app, exported_bluetooth_prop)
37set_prop(system_app, exported_system_prop) 39set_prop(system_app, exported_system_prop)
38set_prop(system_app, exported2_system_prop) 40set_prop(system_app, exported2_system_prop)
39set_prop(system_app, exported3_system_prop) 41set_prop(system_app, exported3_system_prop)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index c9a401a7..c41f9cb3 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -131,4 +131,8 @@ neverallow webview_zygote domain:{
131 131
132# Do not allow access to Bluetooth-related system properties. 132# Do not allow access to Bluetooth-related system properties.
133# neverallow rules for Bluetooth-related data files are listed above. 133# neverallow rules for Bluetooth-related data files are listed above.
134neverallow webview_zygote bluetooth_prop:file create_file_perms; 134neverallow webview_zygote {
135 bluetooth_a2dp_offload_prop
136 bluetooth_prop
137 exported_bluetooth_prop
138}:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 0a1a7c6b..4f26bd01 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -136,4 +136,8 @@ neverallow zygote {
136}:file no_x_file_perms; 136}:file no_x_file_perms;
137 137
138# Do not allow access to Bluetooth-related system properties and files 138# Do not allow access to Bluetooth-related system properties and files
139neverallow zygote bluetooth_prop:file create_file_perms; 139neverallow zygote {
140 bluetooth_a2dp_offload_prop
141 bluetooth_prop
142 exported_bluetooth_prop
143}:file create_file_perms;
diff --git a/public/app.te b/public/app.te
index 4eeede95..cc4d285f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -557,7 +557,7 @@ neverallow {
557 appdomain 557 appdomain
558 -bluetooth 558 -bluetooth
559 -system_app 559 -system_app
560} bluetooth_prop:file create_file_perms; 560} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
561 561
562# Apps cannot access proc_uid_time_in_state 562# Apps cannot access proc_uid_time_in_state
563neverallow appdomain proc_uid_time_in_state:file *; 563neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 8d9d9328..037066ea 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -34,3 +34,5 @@ neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
34 34
35# Only audio HAL may directly access the audio hardware 35# Only audio HAL may directly access the audio hardware
36neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *; 36neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
37
38get_prop(hal_audio, bluetooth_a2dp_offload_prop)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 461523bd..373dbec6 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -21,7 +21,9 @@ allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
21allow hal_bluetooth self:global_capability2_class_set wake_alarm; 21allow hal_bluetooth self:global_capability2_class_set wake_alarm;
22 22
23# Allow write access to bluetooth-specific properties 23# Allow write access to bluetooth-specific properties
24set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
24set_prop(hal_bluetooth, bluetooth_prop) 25set_prop(hal_bluetooth, bluetooth_prop)
26set_prop(hal_bluetooth, exported_bluetooth_prop)
25 27
26# /proc access (bluesleep etc.). 28# /proc access (bluesleep etc.).
27allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms; 29allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 78823d00..7cea7c74 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -8,6 +8,7 @@ allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
8r_dir_file(hal_wifi, proc_net) 8r_dir_file(hal_wifi, proc_net)
9r_dir_file(hal_wifi, sysfs_type) 9r_dir_file(hal_wifi, sysfs_type)
10 10
11set_prop(hal_wifi, exported_wifi_prop)
11set_prop(hal_wifi, wifi_prop) 12set_prop(hal_wifi, wifi_prop)
12 13
13# allow hal wifi set interfaces up and down 14# allow hal wifi set interfaces up and down
diff --git a/public/property.te b/public/property.te
index 6fa85dc9..80453683 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,5 +1,6 @@
1type audio_prop, property_type, core_property_type; 1type audio_prop, property_type, core_property_type;
2type boottime_prop, property_type; 2type boottime_prop, property_type;
3type bluetooth_a2dp_offload_prop, property_type;
3type bluetooth_prop, property_type; 4type bluetooth_prop, property_type;
4type bootloader_boot_reason_prop, property_type; 5type bootloader_boot_reason_prop, property_type;
5type config_prop, property_type, core_property_type; 6type config_prop, property_type, core_property_type;
@@ -56,6 +57,7 @@ type wifi_prop, property_type;
56type vendor_security_patch_level_prop, property_type; 57type vendor_security_patch_level_prop, property_type;
57 58
58# Properties for whitelisting 59# Properties for whitelisting
60type exported_bluetooth_prop, property_type;
59type exported_config_prop, property_type; 61type exported_config_prop, property_type;
60type exported_dalvik_prop, property_type; 62type exported_dalvik_prop, property_type;
61type exported_default_prop, property_type; 63type exported_default_prop, property_type;
@@ -68,6 +70,7 @@ type exported_radio_prop, property_type;
68type exported_system_prop, property_type; 70type exported_system_prop, property_type;
69type exported_system_radio_prop, property_type; 71type exported_system_radio_prop, property_type;
70type exported_vold_prop, property_type; 72type exported_vold_prop, property_type;
73type exported_wifi_prop, property_type;
71type exported2_config_prop, property_type; 74type exported2_config_prop, property_type;
72type exported2_default_prop, property_type; 75type exported2_default_prop, property_type;
73type exported2_radio_prop, property_type; 76type exported2_radio_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 57a61231..380b16ce 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,6 +61,8 @@ dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
61drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool 61drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
62keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool 62keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
63media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool 63media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
64persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
65persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
64persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string 66persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
65persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int 67persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
66persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int 68persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
@@ -69,6 +71,7 @@ persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
69persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string 71persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
70persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string 72persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
71persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool 73persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
74persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
72pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string 75pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
73pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string 76pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
74pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string 77pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
@@ -77,6 +80,7 @@ pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
77ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool 80ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
78ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string 81ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
79ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string 82ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
83ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
80ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int 84ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
81ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool 85ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
82ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool 86ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
@@ -113,6 +117,7 @@ sys.usb.state u:object_r:exported2_system_prop:s0 exact string
113telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int 117telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
114tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int 118tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
115vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int 119vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
120wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
116 121
117# vendor-init-readable|vendor-init-actionable 122# vendor-init-readable|vendor-init-actionable
118dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool 123dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dee2006a..02739250 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -159,7 +159,9 @@ not_compatible_property(`
159 }) 159 })
160') 160')
161 161
162set_prop(vendor_init, bluetooth_a2dp_offload_prop)
162set_prop(vendor_init, debug_prop) 163set_prop(vendor_init, debug_prop)
164set_prop(vendor_init, exported_bluetooth_prop)
163set_prop(vendor_init, exported_config_prop) 165set_prop(vendor_init, exported_config_prop)
164set_prop(vendor_init, exported_dalvik_prop) 166set_prop(vendor_init, exported_dalvik_prop)
165set_prop(vendor_init, exported_default_prop) 167set_prop(vendor_init, exported_default_prop)
@@ -168,6 +170,7 @@ set_prop(vendor_init, exported_overlay_prop)
168set_prop(vendor_init, exported_pm_prop) 170set_prop(vendor_init, exported_pm_prop)
169set_prop(vendor_init, exported_radio_prop) 171set_prop(vendor_init, exported_radio_prop)
170set_prop(vendor_init, exported_system_radio_prop) 172set_prop(vendor_init, exported_system_radio_prop)
173set_prop(vendor_init, exported_wifi_prop)
171set_prop(vendor_init, exported2_config_prop) 174set_prop(vendor_init, exported2_config_prop)
172set_prop(vendor_init, exported2_system_prop) 175set_prop(vendor_init, exported2_system_prop)
173set_prop(vendor_init, exported2_vold_prop) 176set_prop(vendor_init, exported2_vold_prop)
diff --git a/public/wificond.te b/public/wificond.te
index f4990b2d..96668f3a 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@ binder_call(wificond, system_server)
7 7
8add_service(wificond, wificond_service) 8add_service(wificond, wificond_service)
9 9
10set_prop(wificond, exported_wifi_prop)
10set_prop(wificond, wifi_prop) 11set_prop(wificond, wifi_prop)
11set_prop(wificond, ctl_default_prop) 12set_prop(wificond, ctl_default_prop)
12 13